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Crockett 

"Understanding how technology drives 
business can help IT pros win jobs even as 
other positions are lost to outsourcing and 
middle-management cuts." 


Economic Recovery Brings Battle for Positions 

IT job wars will be won with business savvy 


T he IT market is looking up—as is the rest of the economy. 

According to Thomas Silver, senior vice president of the 
North America division ofDice.com, job postings on the 
technology-focused career site are up about 40 percent 
over this time last year. Silver said that some employers 
are telling him that they might have cut back a bit too 
much in the IT department, and now these companies need to catch 
up on infrastructure projects. 

But the road to complete economic recovery for the IT market 
still has some rough patches because of the depth and duration 
of the downturn. Both Silver and Rich Milgram, founder and CEO 
of the career site Beyond.com, recently assessed the market and 
offered tips to IT pros in navigating the choppy tech job waters. 
Both experts emphasized that business savvy would differentiate IT 
pros in the job wars. Although the economy is on a steady upward 
trend, complete recovery in the IT market will be slow, according to 
Milgram. 

"There's a backlog of people who didn't find jobs last year who 
are now looking—particularly recent graduates and people whose 
companies didn't make it through the downturn," Milgram said. 
"In addition to that, you have companies that are skittish. When 
companies are unsure of revenues and the market trends, they tend 
to be very careful about hiring." 

Employers' caution translates into more lower-level hires rather 
than IT management hires. Milgram also pointed out that in this 
stage of an economic recovery, employers often test the market by 
hiring consultants. "Then as they see an upswing in revenue, they'll 
have a staff of 10 and realize that they don't have anyone to manage 
these people," Milgram said. "At that point, they'll need to put back 
that middle tier that they just got rid of. But in the meantime, in the 
next few months you'll see that battle for positions because of the 
downturn a year ago." 

Both Milgram and Silver emphasized the importance of IT pros 
understanding how technology drives business. This insight can 
help IT pros establish themselves as uniquely valuable to a com¬ 
pany and win jobs even as other positions are lost to outsourcing 
and middle-management cuts. Milgram cautioned IT pros against 
becoming too entrenched in a specific technology. "Technology is 
changing rapidly—because of the good work done by technologists, 
tasks are becoming simpler to accomplish," he said. "So IT pros need 
to understand that although they might have specific skills that 
demand top dollar, the fact is that the world is becoming simpler 


and there is going to be downward pressure on salaries because of 
the evolving technology." 

How can IT pros remain relevant when tasks are becoming 
simpler for power users to execute? The answer is to not put your 
headphones on and disappear behind a stack of data. Companies 
make decisions to send jobs overseas not because they relish having 
to communicate with people in the middle of the night, but simply 
because of price. Milgram recommends that IT pros sharpen their 
communications and business skills to avoid becoming invisible— 
and irrelevant. 

Silver said that IT managers in particular need to figure out 
how technology fits in with the company's overall business 
strategy. "If your company is in retail sales, it lives by retail sales," 
Silver said. "So any person in IT management needs to know 
where the technology contribution fits into the overall business." 
Understanding that connection means embracing new technol¬ 
ogy that can help drive profit—such as cloud computing or vir¬ 
tualization. "Employers are looking for employees who can make 
the infrastructure more efficient, either through cloud computing 
or virtualization." 

Milgram had a specific example of an employee who needed 
to execute performance testing, but an appropriate box wasn't 
available. The employee uploaded the workload to the cloud, 
quickly earning himself extra points for understanding and using 
new technology to accomplish a task for a minimal cost. Rather 
than worrying about whether the cloud computing trend was 
going to eliminate IT jobs, this IT pro used the technology to his 
advantage. 

"I've never known a technologist to be scared of technology, so 
why is this different?" Milgram asked. "Accept it, understand it, be 
ready to understand the pros and cons, and be able to assess how 
it's valuable to your business." 

For more tips from these IT career site execs about coming 
through the downturn with a new—or better—career, check out the 
full interviews at www.windowsitpro.com/go/perspectives. And 
enjoy the ride in the next few months as companies realize they need 
IT pros now more than ever. ^ 

InstantDoc ID 125282 

MICHELE CROCKETT (michele.crockett@penton.com) helped launch 
SQLServer Magazine in 1999, has held various business and editorial roles 
within Penton Media, and is currently editorial and custom strategy director 
of Windows IT Pro, SQL Server Magazine, and System iNEWS. 
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Diagnostic and Recovery Tools at 
the Ready 

Reading Paul Thurrott's column "What 
You Need to Know About Microsoft Desk¬ 
top Optimization Pack 2009 R2" (April 
2010, InstantDoc ID 103602) and Rhonda 
Layfield's article "XP to Windows 7 Migra¬ 
tion with Microsoft Deployment Toolkit 
2010" (April 2010, InstantDoc ID 103607) 
inspired me to download and install both 
products. 

I enabled the Pre-Execution Environ¬ 
ment (PXE) on the server running MDT 
2010, and everything worked like a 
charm. Then I came up with an idea: Why 
not see if I can install the Diagnostics 
and Recovery Toolset (DaRT) so that the 
recovery tools are always at my disposal 
via PXE boot? 

After installing the DaRT, I browsed 
to Start, Programs, Microsoft Diagnostics 
and Recovery Toolset, ERD Commander 
Boot Media Wizard. I created a boot disk 
and downloaded the latest Sweeper defi¬ 
nitions. I inserted my new DVD into my 
PXE server. I opened Windows Deploy¬ 
ment Services console, right-clicked 
Boot Images, selected Add Boot Image, 
and selected the WIM file located on the 
DaRT DVD. 

Now, when I press FI 2 and boot 
from the network, I have all the DaRT 
tools instantly available! I can even 
walk a user through the repair steps, if 
necessary. 

—ScotWucher 

Failover Clustering Hassles 

I'd like to offer a remark about John Savill's 
article, "4 Failover Clustering Hassles and 
How to Avoid Them" (April 2010, InstantDoc 
ID 103534). Describing high availability with 
virtualization, John writes that in the event of 
a virtual server crash it would take some time 
to restart a new copy of a virtual machine 


(VM) on another virtual server and so "with 
unplanned server downtime, you'll have 
a period of unavailability." My point is that 
this is the case for Microsoft's virtualization 
solution. 

VMware vSphere has a special feature 
called Fault Tolerance, which allows two 
copies of a VM to run on different virtual 
servers simultaneously and to keep their 
states in sync (www.vmware 
.com/products/fault-tolerance). This solu¬ 
tion provides zero downtime in case of 
a virtual server failure. I think this fact is 
worth mentioning since you sometimes 
write about VMware products in your 
magazine. 

—Rustam Sharshenov 

Fault tolerance is a feature in VMware ESX 
4 with the company's high-end versions. 
However, it's important to remember that it 
currently works only with a single-processor 
VM and has some pretty significant network 
requirements, as all those CPU instructions 
that are in lockstep have to be sent over the 
network before being actioned. Thanks for 
pointing this out, though. 

—John Savill 

Migrating to Exchange Server 2010 
...Not! 

The fact that you've devoted a number 
of articles (and practically the whole May 
issue) to migrating Exchange has solidi¬ 
fied my decision to move away from the 
Microsoft Money Churning Machine. The 
sheer cost and amount of work necessary 
to upgrade are enough to make my head 
spin. We'll look toward the heavens—or 
should I say the clouds?—for our future 
email needs. 

We've decided to move to Google 
Apps.The move makes sense for an orga¬ 
nization our size, and the migration is 
virtually painless. We have only about 100 


Microsoft vs. Google in the 
Cloud 

After reading Paul Thurrott's com¬ 
mentary, "Kickin' It in the Cloud" 
(May 18, 2010, InstantDoc ID 
125256), I'm inclined to believe that 
Paul doesn't deal with Microsoft 
from a technical standpoint very 
often. I would trust something that 
Google puts into beta much more 
than I would trust a "completed" 
Microsoft product. The first com¬ 
mercial edition of Windows Vista 
should have been the beta. If you 
compare Vista and Vista SP1/SP2, 
the original was the equivalent of a 
poor beta that users pumped mil¬ 
lions of dollars into before Microsoft 
figured out how to make it work 
effectively. And what about Micro¬ 
soft's several failed attempts to 
provide a 64-bit OS? And how the 
company tried to force its custom¬ 
ers to use 64-bit via OEM systems 
but gave no warning of software/ 
hardware compatibility issues? Paul 
also doesn't mention how Microsoft 
has attempted to recreate nearly all 
of Google's products. 

—Chris Foster 


mailboxes to move. With so many users 
already using some sort of web-based 
email (e.g., Gmail, Yahoo!) for their per¬ 
sonal email, the learning curve is manage¬ 
able and is more focused on how Google 
Apps differs from Outlook. 

We've formed an eight-member test 
team utilizing dual delivery whereby email 
is delivered to Exchange and Google Apps 
simultaneously. This team ensures that 
we don't miss anything during our testing 
period. Reports from the team are positive 
so far. After a few training sessions, we'll be 
ready to roll out the product and retire the 
Exchange server. 

—Scott Gutauckis 


Windows IT Pro welcomes feedback about the magazine. Send comments to letters@windows 
itpro.com, and include your full name, email address, and daytime phone number. We edit all 
letters and replies for style, length, and clarity. 
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Instant Poll Results: Windows 7 Migration 

If you currently do not have plans to migrate to Windows 7, 

why not? 


40% 

20 % 

0 % 


36 % 


No budget for 
migration 


34 % 


2 % 14 % 


Recently migrated 
to Vista 


Not in sync with 
our upgrade/ 
refresh cycle 


No business 
justification 


14 % 


Moving to 
another client OS 


Source: Windows IT Pro Instant Poll, www.windowsitpro.com, May 2010. 



Why a SAN? 

Michele Crockett's editorial, "Exchange 
Upgrade Creates Domino Effect" (May 
2010, InstantDoc ID 104627), has some 
good points to consider when upgrad¬ 
ing to Exchange 2010.1 enjoyed it until 
I got to the section about the company 
upgrade. 

Why is the company going to a SAN? 

One of the best features of Exchange 2010 
is that you don't need a SAN and can use 
much cheaper disks and have three or 
four cheaper trays of drives for the price of 
one SAN. If all your data is stored on one 
SAN, you have a single point of failure. Is 
the company going to have multiple SANs 
(a very expensive option)? It seems as if the 
business's old architecture is how the new 
system should be set up, and the new setup 
is how their old email system should have 
been running. 

Crockett offers good points about the 
necessity to upgrade Outlook. But remember 
that Outlook Web Access (OWA) is very 
robust and has about 95 percent of Outlook's 
functionality! Keep up the good work. 

—Phillip Morton 


Shrink an NTFS Volume 

I'm responding to John Savill's FAQ, "How can 
I check the amount that I can shrink a volume 
from the command line?" (April 27,2010, 
InstantDoc ID 125145). I'd like to give my input 
on the subject of shrinkable space available. 

I had the same problem: lots of free space, 
but the shrinkable size was far less than the 
amount free. So, I defragged and defragged, 
but I saw no change in the space available to 
shrink.Then I came up with a solution: Before 
performing the shrink operation, move the 
page file during the operations, then turn off 
System Restore. Suddenly, I had lots of free 
shrinkable space. When the shrinking opera¬ 
tion was done, I moved the page file back 
and turned on System Restore—on my more 
conveniently sized system drive. 

—Tomas Legat 

For more detail on this topic, check out 
John Savill's FAQ, "I'm trying to shrink an NTFS 
volume, but the shrink value possible is far less 
than my free space. What's wrong?" (April26, 
2010, InstantDoc ID 125144) ♦ 

—Amy Eisenberg 
InstantDoc ID 125286 


Oops! 

In the May issue's Community Forum, Brett A. Bennett wrote,"Raid 5 is slightly slower with 
writes only because the disks must skip over the parity blocks".The text should have read, 
"Raid 5 is slightly slower with reads .. ."We apologize for the error. 
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6 Things You Need to 
Know About Email 
Compliance, Before 
It's Too Late 

View this web seminar to gain insight in managing 
the monumental task of taming the chaos of 
compliance in your IT department. This event 
will supply you with guidelines to effectively 
develop procedures and implement the tools for 
enforcement of policy, because the time you spend 
now could reap benefits in the form of efficiency, 
risk reduction and the avoidance of penalties. 
windowsitpro.com/go/EmailCompliance 

Programming SharePoint 
Business Connectivity 
Services 

Learn to create line of business applications that 
integrate external data sources with the SharePoint 
platform. SharePoint 2010's Business Connectivity 
Services make it easier than ever to build complex 
line of business applications based on the 
SharePoint platform. 

sharepointproconnections.com/go/SharePoint_ 
eLearning _June2010 
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Thurrott 

"Microsoft, if you wait until the next Office 
suite upgrade to rev Office Web Apps— 
and I think you want to do just that—then 
you've already lost the battle." 


NEED TO KNOW 


What You Need to Know About Windows Live Wave 4, 
Office Web Apps, KIN Phones, and HP and Palm 


M icrosoft has an interesting mix of consumer and 
business technologies on tap for the middle of 
2010, including its long-awaited Windows Live 
Wave 4 release, (''Wave" refers to the group or 
wave of products to be released), which will 
encompass new online services like a revamped 
Hotmail and Windows applications; Office 2010, which will ship in 
traditional PC applications as well as new web-only offerings and 
mobile applications; and of course the upcoming release of Win¬ 
dows Phone 7 which is previewed, sort of, by a surprising new line 
of KIN phones. Here's what you need to know. 

Windows Live Wave 4 

This year, Microsoft will provide massive updates to its Windows 
Live Essentials application suite, which "lights up" or "completes" 
Windows 7, and to Hotmail, which is the most popular web mail 
service on Earth. Both of these are important because the existing 
versions are overdue for major overhauls. 

Hotmail is being rearchitected to be more efficient for users, and 
Microsoft is deemphasizing the Windows Live name to focus on the 
popular Hotmail brand. Microsoft doesn't get enough credit for this, 
but Hotmail automatically derails far more spam every day than any 
other email service, and the software giant's experience with this 
has had an interesting and useful side-effect: Microsoft now does 
a much better job removing spam than any other service. In fact, 
others aren't even close. 

With the 2010 update to Hotmail, the company is turning its 
attention to "gray mail"—things like newsletters and promotional 
offers—which represents about 66 percent of all legitimate email 
sent through the service. And it's integrating more seamlessly with 
Office Web Applications—the web-based versions of Word, Excel, 
PowerPoint, and OneNote that shipped to businesses in May and to 
consumers in June, making email-based document sharing better 
than ever. 

And if that's not exciting enough for you, check this out: Micro¬ 
soft is adding Exchange ActiveSync support to Hotmail so that 
you can seamlessly synchronize this service's email, contacts, and 
calendar data with virtually any smartphone on earth. We're talking 
Apple iPhone and iPad, Google Android (Nexus One, Droid), and 
Palm WebOS (Pre, Pixi). And Windows Phone 7, of course. 

Why not just add IMAP support? Because IMAP works only with 
email, and Microsoft wanted to make sure its online contacts and 


calendaring services were equally accessible. This is a brilliant if 
overdue move. 

As for Windows Live Essentials, you can expect to see Ribbon 
support across the many apps and a new emphasis for Windows 
Live Messenger, Microsoft's consumer oriented instant messaging 
(IM) application. Messenger is expanding to become the center of 
Microsoft's social networking strategy and will integrate with Twitter, 
Facebook, MySpace, Linkedln, and whatever else it is that people are 
doing these days, giving you a single control panel for those activities. 

The sharing possibilities here are impressive, but I'm most 
excited by the news that Microsoft is going to deliver a native 
Windows Live Messenger application for the iPhone. We're entering 
a new era here, folks. 

Office Web Apps: A Cloud Too Far 

Speaking of the Office Web Apps—although I've reviewed Micro¬ 
soft's first-ever web-based Office suite elsewhere, I wanted to 
reiterate my main point here: Office Web Apps doesn't offer the 
performance or functionality required to replace any desktop-based 
version of Office. This reality will likely lead to some soul-searching 
at corporations around the world. 

I do feel that offering an Office 2010-like experience on the web is 
important, and that document fidelity, while not perfect, is certainly 
far better than anything Google offers. But Google's free Google Docs 
offering is, well, free, and it is certainly full-featured and getting more 
so all the time. 

My recommendation, broadly speaking, is that those still on 
Office 2003 or older should upgrade: Office 2010 offers tremendous 
usability advances, many tied to the excellent Ribbon UI. (And really, 
get over it, haters: The Ribbon is indeed superior.) Those on Office 
2007 have a tougher choice to make, but the advances in Outlook 
2010 could prove to be the deciding point for those who rely on 
Microsoft's heavy email and PIM product. 

I have advice for Microsoft as well. Office Web Apps isn't good 
enough in its current state. And if you're going to compete in this 
market, you must do as Google does and update this offering early 
and often. If you wait until the next Office suite upgrade to rev 
Office Web Apps—and I think you want to do just that—then you've 
already lost the battle. 

Those who use Office unwaveringly prefer it to Google Docs, 
because it's better. But for a coming generation of younger users, 
Google Docs is what they know, and the superiority of Microsoft's 
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NEED TO KNOW ■ 


offerings is both an unknown and of no 
consequence. 

Office Web Apps needs to be good 
enough to make the Google generation 
consider a change. Otherwise, it's only a 
matter of time. 

No KIN Do 

Microsoft surprised tech industry onlookers 
by delivering its first Windows Phone 
7-based devices, the KIN One and KIN 
Two, to consumers in May via Verizon 
Wireless. (A European launch is expected 
later this year.) But if you were hoping for 
a true Windows Phone 7 experience, you'll 
need to wait for September: Yes, the KIN 
phones—previously code-named Pink—do 
offer Exchange support, but they're targeted 
at the texting, social networking crowd, not 
on-the-go business users. And the devices 
don't even include a calendar, let alone an 
apps store, both of which seem like odd 
limitations in this day and age. 

My advice is to skip the KIN—except, 
perhaps for your kids—and either wait for 
Windows Phone 7 or evaluate the Apple 
iPhone or Google Android phones now. 
Both platforms are excellent. 

Web Standards and the Future 

Microsoft has been beating the drum for 
more meaningful web standards around 
such technologies as HTML 5 and Cascad¬ 
ing Style Sheets (CSS), and plans to imple¬ 
ment these things much more elegantly in 
Internet Explorer (IE) 9, its next browser. 

Now, if you've been around for a while 
and are even slightly attuned to the web 
development space, you understand that 
"web standards" and "IE" are not exactly 
two great tastes that go together. But if you 
can get over past prejudices, I think you'll 
agree not only that Microsoft is right (this 
time at least) but that its plan for "fixing" 
web standards is both meaningful and 
necessary. 

Microsoft is planning some competitive 
advantages for IE 9, of course, and these 
fall neatly into categories like hardware 
acceleration (of video, graphics, and text) 
and display fidelity. And while I suspect 
that the company's efforts along these lines 
will be widely copied by the competition, 
that's not really my concern right now. 

What I feel far more strongly about 
is that the current set of web standards 


tests—Acid3, SunSpider, and so on—are in 
fact contradictory to progress on the web— 
and that Microsoft's idea of "same markup" 
is the way to go. 

Here's what I mean. Right now, browser 
makers adhere to different parts of various 
specs—HTML and CSS, for example—but 
there are no rules about how those specs 
should be implemented. Imagine if a PC 
made by Dell rendered Windows applica¬ 
tions differently than a PC made by HP, or 
Gateway. That is exactly what's happening 
on the web right, and the advent of popular 
mobile browsers is exacerbating the situa¬ 
tion. 

What Microsoft is suggesting is that when 
a browser supports a specification, it should 
do so in a standardized way. That is, every 

Imagine a Mac-like 
offering from HP, 
running on tradi¬ 
tional desktop and 
portable comput¬ 
ers, with an apps 
store and other 
cloud services, 
completely HP. 

browser should render the same HTML or 
CSS code identically. Right now, this isn't 
the case, even between browsers based on 
the same rendering engine, and it's causing 
major headaches for web developers. 

Convincing other browser makers to 
back this plan will be difficult. But Microsoft 
does have a voice with the W3C standards 
body, and it has submitted thousands of 
sample tests for evaluating. By the time 
IE 9 hits the streets—I'm thinking early 
2011—1 hope some of the other browser 
makers will have signed on as well. 

HP and Palm 

Computer giant HP surprised virtually 
everyone with its $1.2 billion purchase of 
ailing smartphone maker Palm in early 
May. But with the dust settling, it's starting 


to look like HP has a plan, and it goes well 
beyond a desire to own part of the $100 
billion smartphone market. 

First, the obvious bit. Yes, HP sort of 
competed in the smartphone space before 
the Palm purchase via a small line of iPaq 
devices, which ran an older version of 
Windows Mobile and presumably targeted 
a business audience. By buying Palm, HP 
gets a much stronger footing in this mar¬ 
ket, as well as ownership of a technically 
excellent smartphone platform called 
webOS. 

But I think HP's strategy is more far- 
reaching than that. Given the success of 
Apple's iPad—which sold 1 million units in 
its first month on the market and basically 
established a new computing category all 
by itself—I believe that HP wants to estab¬ 
lish itself as an Apple-like player that offers 
the full meal deal, with its own hardware, 
software, and online services. 

And this means competing in the tablet 
space as well as the smartphone market, 
sure. But I also think that HP plans to make 
a PC play as well. 

Imagine a Mac-like offering from HP, 
running on traditional desktop and por¬ 
table computers, with an apps store and 
other cloud services. It would be completely 
HP from top to bottom, and the com¬ 
pany wouldn't need to pay licensing fees to 
Microsoft or any other company. And these 
PCs would be complemented by similarly 
designed smartphones and tablets, all run¬ 
ning the same core OS. 

Yes, it's a bit far-fetched, and yes, I 
do expect HP to move a bit tentatively 
into a market in which Microsoft will be 
both its bigger partner and its biggest 
competitor. 

But if the computing market is chang¬ 
ing as dramatically as some believe, 
HP could actually be uniquely qualified 
to give Apple a run for its money in 
ways that few others—Google Android, 
perhaps—are prepared to do. It's a theory, 

YiK 

anyway. ▼ 
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FRAGMENTATION 

A s CIOs and IT managers gear up to meet the challenges of stringent budgets 
and new tech Initiatives, how they handle file fragmentation will contribute to 
the difference between cost-effective consolidation and increased overhead. 


3 TOP TECH INITIATIVES 

TARGETED BY 


Virtualization 

Efficiency vs. “fragmentation on top of fragmentation " 

The hard disk is the slowest component of a system's 
throughput. File fragmentation only makes the bottleneck 
worse. In the case of virtualization, the disk must do far 
more; it must support numerous simultaneous operating 
systems and a greatly compounded rate of fragmentation 
both on ihe logical disk and die virtual disks. 

These virtual disk files fragment just as any other file can, 
resulting in what amounts to a ‘logically” fragmented virtual 
hard disk, which still has typical file fragmentation contained 
within it. In other words, virtualization brings about a 
“fragmentation on top of fragmentation" that can quickly 
cripple system speed and negate the efficiency virtualization 
is designed to deliver. 

Data Storage Management on SAN Devices 

Is fragmentation still really an issue ? 

A storage area network (SAN) provides the ability to make 
remote disks appear to be local. SAN storage virtualization 
involves the creation of a usually very large, logical pool of 
data. Via software, that pool appears to be physically located 
all on one server. In actuality, that data may be located across 
hundreds of physical disks spread across dozens of servers. 

The local disk file system does not know of and cannot 
control the physical distribution or location in a virtualized 
storage environment. Asa result of fragmentation, NTFS 
has to make multiple requests regardless of the physical or 
virtualized storage environment. 

SANs cannot address file system level fragmentation 
and neither can proprietary architectures or data retrieval 
technologies. The overhead on the operating system 
is heavily impacted by fragmentation. Local disk file 
defragmentation is vital . 

The Standard Operating Environment 

Lowering network operating costs with efficiencies of scale 

There are multiple dynamics that make up overall network 
efficiency but because file fragmentation is created at the 
operating system level regardless of how much free space 
is on the disk, its negative effect on the network is one 
of the most basic issues to resolve. When not effectively 
addressed, fragmentation creates a perfect storm of network 
issues including: 

* Slow read/write times 

* Slow backups and higher failure rates 

* Database lockups 


* Shorter productive disk life 

* S p i ra 1 i ng energy cost s 

* Slow boot time 

* Increased Help Desk traffic 

* Higher re-imaging costs 

Resolving fragmentation at base image level would clearly 
make sweeping improvements to a network, lowering the cost 
of ownership with the least amount of effort. 

The Economics of Fragmentation Prevention 

Diskeeper* 2010 technology and the system 
performance pa radigm 

Eliminating fragmentation as a performance issue has four 
basic goals: the reestablishing of optimum performance, 
reliability, longevity and energy efficiency in every system 
on a network. Only Diskeeper 2010 includes the innovative 
functionality to achieve this: 

* It prevents up to 85% of all fragmentation before it occurs 

* It eliminates any remaining fragmentation in real time 

* It quickly handles even the largest mission-critical 
enterprise servers 

* It is completely automatic and invisible 

* It includes a centralized graphical administration console 
scalable to any size 

In reality, since every system fragments, any global 
solution must meet stringent requirements or its operational 
overhead will negate gains, Diskeeper 2010, with an edition 
for every Windows" system from laptops to the largest 
mission critical enterprise servers, is the only solution that 
increases performance and lowers total cost of ownership 
at the same time. 



Special Offer 


Try Diskeeper 2010 FREE for 45 days! 

Download at www.diskeeper.com/specialtrial 
(Note: Special 45-day trialware is only available at the above link) 
Volume licensing and Government / Education discounts are 
available from your favorite reseller or call 800 829-6468 


© 2010 Oisteepe* Corpcfaliort. All Rights Reserved. Diskeeper and “The only way to prevent fragmentation before it happere" are trademarks or teetered trademarks of Diskeeper Corporation. All other trademarks are the property o( their respective owners. 




WINDOWS POWER TOOLS 


Minasi 

"Attach VHDs as drives whose entire 
contents you can roll back at a moment's 
notice—sort of a virtual do-over." 



Diskpart Takes Snapshots of Physical and Virtual Systems 

Windows Server 2008 R2 and Windows 7 support VHD rollbacks 


I n “Diskpart Goes Virtual" (InstantDoc ID 103685) and 
“Diskpart Exerts VHD Control” (InstantDoc ID 125054), I 
showed you howto configure virtual hard disk (VHD) files 
on your Windows Server 2008 R2 or Windows 7 system- 
just like installing actual physical disks. Clearly, the “V" in 
VHD is a little misleading, as we use VHD files in physical 
rather than virtual machines (VMs). 

But one of the coolest things about VMs is the ability to create 
snapshots that remember the VM's current state. You can return to 
a snapshot at any time by “rolling back" the VM. Server 2008 R2 and 
Windows 7's VHD support provides that sort of snapshot capabil¬ 
ity, letting you create VHDs and attach them as drives whose entire 
contents you can roll back at a moment's notice—sort of a “virtual 
do-over." The capability just requires a bit of Diskpart work. But the 
work is worth it, letting you extend the simplicity, speed, and power 
of VM snapshots to data volumes and even system volumes. That's 
right—you can snapshot a physical rather than a virtual machine. 

To get Diskpart to do that work, however, you need to under¬ 
stand the way Microsoft thinks about snapshots. Suppose you have 
a drive P that's actually a VHD, and you want to give it the snapshot 
capability. In Microsoft parlance, you do that by employing two 
VHDs—one called the parent and the other called the child. 

In this model, you'd call P's original VHD the parent VHD. To 
make P snapshot-capable, you wouldn't do anything to the par¬ 
ent; instead, you'd use Diskpart to create a second VHD called a 
child VHD. (When you create the VHD, you must inform Windows 
that the new VHD is a child and you must identify the name of the 
parent VHD.) You then tell Windows to no longer attach the parent 
as P, because to get snapshot functionality you must attach the child 
VHD, which automatically becomes P. Assuming that the parent 
VHD is called e:\parent.vhd and the child is named e:\child.vhd, 
you'd type the following commands: 

select vdisk file=e:\parent.vhd 
detach vdisk 

create vdisk file=e:\child.vhd parent=e:\parent.vhd 
select vdisk file=e:\child.vhd 
attach vdisk 

You detach the parent first because you can't create a child to a par¬ 
ent VHD if that parent is currently attached. Notice that the syntax 
to create a child VHD is simple. You need to know only two things 
about the command: First, you can create a child VHD only from an 


expandable parent; if your would-be parent VHD is of a fixed size, 
you can't create a child for it. Second, don't specify a size for the 
child VHD; a child VHD can't grow beyond the size of the parent. 

The next two commands select and attach the new child. After 
this process, drive P appears again. The user really has no idea that 
he or she is working with a child instead of a parent. 

Now that you have a drive that can be rolled back, how do you 
do it? You can either tell Windows to roll back P to its pre-child state 
(i.e., delete all changes) or tell Windows to incorporate child.vhd's 
changes into parent.vhd (i.e., accept all changes). To tell Windows 
to forget anything you did to child.vhd and to essentially roll back 
the changes to P, just detach child.vhd and re-attach parent.vhd: 

select vdisk file=e:\child.vhd 
detach vdisk 

select vdisk file=e:\parent.vhd 
attach vdisk 

At this point, child.vhd is of no value; you can delete it. But if you're 
happy with the changes you've made to P under the guise of child 
.vhd, use the Merge Vdisk command. To do that, you must first 
detach the child VHD, then select that VHD, then use the Merge 
Vdisk command to stuff child.vhd's changes into parent.vhd, then 
re-select and re-attach parent.vhd. Again, you can now delete 
child.vhd, as it's superfluous at this point. Here's the syntax: 

select vdisk file=e:\child.vhd 

detach vdisk 

merge vdisk depth=l 

select vdisk file=e:\parent.vhd 

attach vdisk 

To merge child.vhd into parent.vhd, just make sure that neither 
child nor parent is attached, then select the child and use the 
Merge Vdisk command. Now, you can just use the parent. 

How might you use this capability? Say you want to try some¬ 
thing without screwing up a system, but for some reason it's not 
wise to use a VM for the tests. With this snapshot feature, you can 
run your app on a physical machine but keep the data virtual. ^ 
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Otey 

"Learning the shell's nuances is essential 
for productive PowerShell work." 


PowerShell Command Shell Tips and Tricks 

Learn these 10 indispensable techniques for command-shell mastery 



indows PowerShell is Microsoft's preferred 
scripting language, and most of Microsoft's 
server products now have PowerShell cmdlets 
so that you can manage them with PowerShell 
scripts. However, PowerShell is more than a 
scripting language. PowerShell also has its 
own command shell. Learning the shell's nuances is essential 
for productive PowerShell work. In this column, you'll learn 10 
indispensable techniques for working in the PowerShell com¬ 
mand shell. 

C *\ Redisplay the last command— To redisplay the last 
j command you entered in the PowerShell command shell, 
press the up arrow key. Continuing to press this key scrolls 
through the history of the commands entered. Use the down arrow 
key to scroll back through the list of commands. 

O Replay previous input— While the up and down arrow 
keys let you scroll through the entire previous command 
line, the right arrow key allows you to quickly enter the 
characters from the previous command. Pressing the right arrow 
displays the characters from the previous command one character 
at a time. 

O Use QuickEdit to copy text— Although it's not obvious, the 
PowerShell command shell lets you select and quickly copy 
any text displayed in the command shell. Use the mouse to 
select the text to be copied, then press Enter or right-click on the 
selected text to copy it to the clipboard. You need to enable 
QuickEdit Mode on the Options tab of the PowerShell Properties 
dialog box to take advantage of this feature. 


displays the first PowerShell Get- cmdlet alphabetically, which 
is Get-Acl. Continuing to press tab cycles through all the available 
Get- cmdlets. 

O Recognize and escape from incomplete input— If you 
enter a PowerShell command but the statement isn't com¬ 
plete, the command shell displays its incomplete input 
prompt, ». You can then complete the command, or you can 
cancel the current command or input request by pressing Ctrl+c. 

O Create variables without a script— You might think that 
variables can be created only inside scripts, but that's not 
the case. You create a variable in the command shell simply 
by prefixing the $ symbol to a name: 

$server = "MyServer" 

O Use piping to chain commands together— Piping uses the 
pipe separator symbol (|) to send the output of a command 
to the input of another command. Piping works with all 
PowerShell commands. The following example shows how you can 
pipe the output of the dir command to Sort-Object in order to sort 
the output according to file size: 

dir | sort-object -property length, name 

O Use redirection to send a command's output to a file— 
Redirection lets you direct the results of a command to a file. 
You use redirection by adding > to the end of a command, 
followed by the path for where you want the output to go. This 
example shows how you can redirect the output of the dir com¬ 
mand to a file called mydir.txt: 

dir > c:\temp\mydir.txt 



O Right-click the mouse to paste into the command shell— 

The standard Ctrl+v paste command doesn't work inside 
the PowerShell command window. Instead, after you've 
copied text to the clipboard, you position the mouse at the com¬ 
mand shell command prompt and just right-click to paste the 
contents of the clipboard to the input line. 

O Use tab for auto completion— Using the tab key as you type 
commands causes the PowerShell command window to 
attempt to complete the commands you're typing. For 
instance, entering 

Get [tab] 


O Use Properties to customize the command shell— To 
change the PowerShell command shell properties, click the 
PowerShell icon displayed in the upper left corner of the 
title bar of the command shell window and select Properties to 
open the Properties dialog box. The Layout tab lets you change 
the screen size, the Options tab lets you change the command 
buffer size, and the Colors tab lets you change the command 
shell's font and background colors. ^ 
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WHAT WOULD MICROSOFT SUPPORT DO? 


Stock 

"Special Pool is the'smoking gun' 
methodology used to catch drivers 
corrupting memory in real time." 



Pinpoint the Source of Memory Corruption 

Use Special Pool to catch drivers corrupting kernel memory in real time 


L ast month, in “Troubleshooting Kernel Memory 
Corruption" (June 2010, InstantDoc ID 125143), I dis¬ 
cussed kernel memory corruption and walked through 
a high-level kernel pool memory primer. In this article 
I'll continue the discussion focusing on Special Pool, 
the primary tool used by the Microsoft support team to 
troubleshoot kernel memory corruption. We left off by introducing 
Special Pool as the “smoking gun" methodology used to catch driv¬ 
ers corrupting memory in real time by allocating guard pages around 
memory allocations. The idea is to catch a driver writing beyond its 
allocation by forcing it to write into a guard page, causing the system 
to crash immediately with the culprit on top of the stack. 

Using Special Pool to Catch a Problem Driver 

In order to do this, a few things change in the memory model. When 
a driver is tracked under Special Pool, its allocations are no longer 
shared on a 4KB page. Instead an entire 4KB page is dedicated 
to the allocation with the driver's buffer placed at the bottom of 
the page. The intent is to later catch the driver reading or writing 
beyond its allocation and spilling into the next unallocated guard 
page. This overrun condition touches the guard page, causing a Bug 
Check OxCD: PAGE_FAULT_BEYOND_END_OF_ALLOCATIONb\ue 
screen crash. Reviewing the memory dump should show the driver 
that wrote beyond the allocation. 

The rest of the page holding the buffer is filled with a random 
bit-pattern signature, which on the surface seems uninteresting; how¬ 
ever, it serves a very useful purpose. When the memory manger frees 
the allocation, it scans the entire bit pattern looking for changes to 
the signature. If the signature was overwritten by even a single bit, the 
memory manager halts the machine with a Bug Check OxCl: SPECIAL_ 
POOL_DETECTED_MEMORY_CORRUPTION. Finding corruption in 
this bit pattern could indicate an underrun condition, in which case we 
would recommend the use of a special flag to enable the monitoring of 
underruns. In this model, the diagram is flipped with the driver buffer 
moved to the top of the page followed by the bit pattern continuing to 
the bottom of the page. The hope is to catch a read or write landing too 
early and hitting the guard page ahead of the allocation. 

Setting the Trap: Methods for Enabling Special Pool 

Special Pool can be enabled using several methods. Historically you 
could enable Special Pool by directly editing the registry. Adding the 


value PoolTagOverruns with the value of 1 to the registry subkey 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ 
Session Manager\Memory Management enables overrun detec¬ 
tion; changing the value to 0 monitors for underruns. Under the 
same registry location, the value PoolTag indicates the tag to trace. 
This value allows a lot of freedom, including the use of wildcard 
characters. 

In cases where we are unable to determine which tag is causing 
the corruption, we typically recommend using the hexadecimal 
value 0x2a (the ASCII equivalent of*) to monitor tags for all drivers. 
It's important to note that not all allocations will be allocated 
from Special Pool memory because it's a finite resource. Also it's 
an expensive resource because the memory manager allocates 
an entire 4KB page of memory for the buffer and two additional 
virtual no-access guard pages, so it's not recommended to run in 
this mode after you've determined the root cause of the memory 
corruption. 

Another tool to enable Special Pool is the Global Flags (Gflags) 
utility, which is included with the Windows Debugging tools. Gflags 
comes in both a GUI and command-line option and includes a com¬ 
prehensive Help file. Special Pool is enabled on the System Registry 



Figure 1: Using the Global Flags utility to enable Special Pool 
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■ WHAT WOULD MICROSOFT SUPPORT DO? 


tab in the GUI version of Gflags, which 
Figure 1 shows, by entering the tag you want 
to track. There's an option to track overruns 
by selecting the Verify End radio button, or 
underruns by selecting Verify Start. Like the 
other tools, Gflags defaults to monitoring 
for overruns. This tool is another option to 
target all tags with a wildcard or a specific 
tag, but it doesn't give you the flexibility to 
select a list of tags. It does, however, give you 
the option to track allocations by size if you 
enter the size value in hex format instead of 
a four-character tag, but this isn't the best 
approach because it will monitor all drivers 
with the allocation size. 

Both of the previous methods require a 
reboot, which may not be an option if your 
production server cannot be taken down for 
a maintenance window. The good news is 
with versions of the Windows kernel starting 
with 6.0 (i.e., Windows Vista and later), you 
can use kernel flags to enable Special Pool, 
thereby preventing the necessity of a reboot; 
however, the change will not persist across a 
reboot. 

If you use the Gflags command-line utility 
to specify the kernel flag, you can enable Spe¬ 
cial Pool on the fly by specifying /k with the 
Special Pool switch +spp. Here's an example 
of using the command to monitor alloca¬ 
tions of size 30 until the next reboot: 

Gflags /k +spp 0x30 

Refer to the Global Flags Help file to find 
complete usage information for the tool. 

Driver Verifier is another tool that 
Microsoft support prescribes to enable 
Special Pool. It's my favorite tool because 
it provides more granular options than the 
other tools as well as walk-through wizards. 
The previously mentioned tools are lim¬ 
ited to single drivers or wildcards, whereas 
Verifier gives the option to choose several 
drivers from a list. 

Here are the typical steps I would 
perform when using Driver Verifier with 
Special Pool to investigate a kernel memory 
corruption problem: 

1. Open Driver Verifier by running 
verifer.exe from the command line. 

2. When the tool opens, select Create 
custom settings (for code developers) and 
click Next. 

3. Select the option Select individual 
settings from a full list and click Next. 



Figure 2: Using Driver Verifier to track specific drivers using Special Pool 


4. Select the Special Pool option. After 
you click Next, the screen in Figure 2 
provides several options, among them 
Select driver names from a list. This option 
lets you use a more precise approach so 
that you choose only specific drivers to 
track. 

After rebooting, the server will continue to 
run until Special Pool catches a driver cor¬ 
rupting pool. A memory dump may show 
the bad driver on the stack. Once you've 
completed your investigation, it's important 
that you disable Verifier by using the option 
available in the wizard. 

A Few Caveats 

Special Pool can be very useful in trou¬ 
bling memory corruption, but it isn't 
perfect. In some cases, enabling Special 
Pool changes the timing and causes the 
problem to stop reproducing. In other 
cases, Special Pool catches the culprit 
while the machine is booting, which 
causes the machine to crash before logon. 
Remember, it's the job of Special Pool to 
crash the machine with the culprit on 
the stack. If this happens prematurely, 
the crashing machine may prevent the 
user from disabling Special Pool, which 
changes the dynamic of the scenario into 
a critical no-boot issue. As a caveat, if you 
find yourself in this situation, the Last 
Known Good option will disable Special 


Pool by restoring the registry settings back 
to their previous state. 

Another downside of the tool is the 
red herring effect. Special Pool can very 
easily discover memory corruption bugs 
in other drivers that wouldn't normally 
cause system instability in production. 
This isn't necessarily a bad thing; however, 
it may increase the time of the investiga¬ 
tion or might lead you to believe that you 
resolved the problem before catching the 
real guilty party. 

Wrapping Up 

This series merely scratched the surface 
of troubleshooting memory corruption 
problems. In fact, I haven't even discussed 
the methodology used to determine which 
tags to target with Special Pool. This subject 
alone would fill an entire article in itself. 
In many cases, it's more of an art than sci¬ 
ence, much like debugging. Suffice it to say 
that for the majority of cases, Special Pool 
gets the job done well and helps Microsoft's 
support teams solve many kernel memory- 
corruption issues. yt 

InstantDoc ID 125208 


RON STOCK (ronsto@microsoft.com) is 
an escalation engineer for Microsoft's Global 
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.com/ntdebugging. 
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How to Trigger a One-Time Group 
Policy Registry Refresh 

In Group Policy, one of the key compo¬ 
nents is the registry client-side extension, 
which makes changes to the Group Policy 
Objects (GPOs) in the local comput¬ 
ers' registries. At regular intervals 
or upon reboot, Group Policy 
compares the server's list of 
GPOs that applied registry 
settings against each local 
computer's list of GPOs that 
applied registry settings. (The 
lists include more than just the 
GPOs'names. Other details, such 
as the GPO version and path, are also 
included.) If the GPO lists match, Group 
Policy doesn't run the extension by default. 
From a performance standpoint, it doesn't 
make sense to run the extension to refresh 
the local computer's registry when nothing 
has changed. However, there are situations 
in which a local computer's registry might 
need to be refreshed, even though the 
server's GPO list and the local computer's 
GPO list match. 

You can force a registry refresh any¬ 
time by including the Gpupdate /force 
command or by enabling the Process 
even if the Group Policy objects have not 
changed option. However, you might 
not want to force a registry refresh 
at each computer startup because of 
the extra overhead it'll cause. This is 
especially true when you need to force 
a registry refresh only once in a while. 

A better approach is to use a one-time 
Group Policy registry refresh. A good 
example of when you might want to 
use this is after you install software 
that modifies some registry settings 
that are currently being managed 


through a GPO. As far as Group Policy is 
concerned, nothing has changed, even 
though the software has overwritten 
the registry settings. By triggering a 
one-time registry refresh, any settings 
that were overwritten during the 
software's installation will be 
set back to the way they 
should be. 

How to Trigger a 
Registry Refresh 

You can accomplish a one¬ 
time registry refresh by 
changing the local com¬ 
puter's Group Policy 
history. That way, at the 
next reboot or Group Policy refresh, Group 
Policy will detect a mismatch between the 
server's and the local computer's GPO lists 
and run the registry client-side extension. 

On a server, Group Policy gets the 
GPO list from Active Directory (AD). On 
a local computer, Group Policy gets the 
GPO list from the registry. When a GPO is 
applied to a local computer, information 
about it is written to HKLM\SOFTWARE\ 
Microsoft\Windows\CurrentVersion\ 
Group Policy\History. Information about 
the GPOs applied by the registry client- 
side extension is written to the HKLM\ 
SOFTWARE\Microsoft\Windows\ 
CurrentVersion\GroupPolicy\History\ 
{35378EAC-683F-11D2-A89A-00C04FBBCFA2} 
key. The number in the brackets is that 
extension's globally unique identifier 
(GUID). (For a list of the GUIDs for the 
other basic Group Policy client-side 
extensions, see the Microsoft article 
"Identifying Group Policy Client-Side 
Extensions" at support.microsoft.com/ 
kb/216357. Although this article was 


written for Windows 2000, the GUIDs are 
the same for later versions of Windows.) 

Each subkey under the {35378EAC- 
683F-11D2-A89A-00C04FBBCFA2} registry 
key represents a GPO. The order of the 
subkeys indicates the order in which the 
GPOs were applied.The entries in each 
GPO subkey contain such details as the 
GPO's name, version, and path. 

Rearranging the order of the subkeys, 
changing the GPO version information 
for any one of them, or making any other 
significant modification will change the 
local computer's GPO list.This means that 
the server's GPO list won't match local 
computer's GPO list, forcing the registry 
client-side extension to re-apply the 
registry settings at the next reboot or the 
next Group Policy refresh, which is every 
90 minutes by default. 

I've found that the easiest way to trig¬ 
ger a one-time registry refresh is to simply 
remove the entire first subkey under the 
{35378EAC-683F-11D2-A89A-00C04FB- 
BCFA2} key, which will always be named 0, 
as Figure 1 shows. If you have any registry 
policy settings defined in a Local Group 
Policy, the 0 subkey represents the Local 
Group Policy. If not, the 0 subkey repre¬ 
sents the first GPO that applied registry 
settings from AD. 

I wrote a VBScript script, Trigger- 
GPORegistryRefresh.vbs, that deletes the 0 
subkey. You need administrative rights to 
run this script. After you run it, the registry 
client-side extension will refresh the reg¬ 
istry at the next reboot or the next Group 
Policy refresh. 

Testing the Script 

To seeTriggerGPORegistryRefresh.vbs in 
action, you can enable the registry's user 
environment debug logging functionality, 
which logs messages in the userenv 
.log file. (If you're unfamiliar with how to 
enable this functionality, see support 
.microsoft.com/kb/221833.) On a com¬ 
puter where Group Policy registry settings 
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Figure 1:The 0 subkey 

haven't changed so no refresh occurred 
(and there were no settings to force a 
change), you'll see the following message: 

Read extension Registry 
Read Extension's 

Previous status successfully 
The lists are the same. 

No GPO changes and no 

security group membership change 
and extension Registry has 
NoGPOChanges set. 

When you see this message in userenv 
.log, run TriggerGPORegistryRefresh.vbs 
and reboot the computer. Go back into 
the userenv.log file. It will now show the 
following message: 

Read extension Registry 
Read Extension's 

Previous status successfully 
One list is empty. 

Entering for extension Registry 

The line "One list is empty" indicates that the 
script successfully triggered a registry refresh. 

Another way to observe TriggerGPO¬ 
RegistryRefresh.vbs in action is to follow 
these steps: 


1. On a test computer, 
find a nonpolicy registry 
setting that was previously 
configured by a GPO. By 
"nonpolicy" registry setting, 

I mean a registry preference 
setting that: 

• Doesn't reside under the HKLM\ 
SoftwareXPolicies key or the HKLM\ 

S oft wa re\M i c rosoftXWi n d o ws\ 
CurrentVersionXPolicies key. Because it's 
not under a Policies key, it's considered 
a preference. 

• Stays behind when the GPO that 
applied it is no longer used. 

Figure 2 shows an example of this kind 
of registry setting. 

2. For the nonpolicy registry setting 
you selected in step 1, replace the exist¬ 
ing value (which we will consider as the 
correct one) with a new value (which we 
will consider as the incorrect one) in the 
registry. 

3. Reboot the computer, then check 
the value of the nonpolicy registry setting 
you changed. You'll still see the new incor¬ 
rect value, provided there were no GPOs 
applied elsewhere to cause the registry 
client-side extension to perform a registry 
refresh for that computer. 

4. Run TriggerGPORegistryRefresh.vbs 
on the test computer. 

5. Reboot the computer, then check 
the value of the nonpolicy registry setting 
you changed. You should now see the 
old correct value rather than the updated 
incorrect one. 


Listing ^TriggerGPORegistryRefresh.vbs 


Option Explicit 

Const REGROOT = "HKLM" 

Const TITLE = _ 

"Trigger Registry Policy Processing" 
Const REGHIST = "Software\Microsoft\" & _ 
"Windows\CurrentVersion\" & _ 

"Group Policy\History\" & _ 

"{35378EAC-683 F-11D2-A89A-00C04 FBBCFA2} ’ 1 

Dim objShell, strCommand 
Set objShell = 

CreateObject("WScript.Shel1") 

strCommand = "REG DELETE """ REGROOT _ 

& "\" & REGHIST & "\0"" /F" 

objShell.Run strCommand, 0, True 


Ways to Use the Script 

If you're going to install a software 
package in your AD environment that 
might overwrite some nonpolicy registry 
settings that are currently being man¬ 
aged through GPOs, you can use the 
code in Listing 1 as the last step of the 
installation process. You can download 
TriggerGPORegistryRefresh.vbs by going 
to www.windowsitpro.com, entering 
125265 in the InstantDoc ID box, clicking 
Go, then clicking the Download the Code 
Here button. 

Another way to force a one-time 
Group Policy registry refresh on all 
computers in an AD organizational unit 
(OU) is to link a "toggle" GPO that does 
only one thing: Sets a single GPO registry 
setting to the same value that's already 
being managed through another GPO. 
That way, when you enable the link in 
AD, the "toggle" GPO will now be on 
the list of GPOs for registry processing, 
causing a mismatch between each local 
computer's GPO list and the server's GPO 
list. In 90 minutes or so, Group Policy will 
notice the mismatch and have the registry 
client-side extension perform a one-time 
registry refresh. 

You can leave the "toggle" GPO linked 
and enabled until the next time you need 
to trigger a registry refresh. Then all you 
need to do is disable the GPO link in AD, 
which will trigger another mismatch 
between the GPO lists and hence another 
registry refresh. You can toggle the GPO 
on and off whenever you feel the need to 
ensure a one-time registry refresh. 

—Harry Verge, senior technology 
specialist, Calgary 
InstantDoc ID 125265 



Figure 2: An example of a nonpolicy registry setting 
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1. Make a full system backup of the computer and system state. 

2. Log on as an Administrator. 

3. Start Regedt32.exe. 

4. Go to the following registry key: 

H KEY_LO CAL_M ACHIN EXSYSTE M\Mo u nted Devices 

5. Click MountedDevices. 

6. On the Security menu, click Permissions. 

7. Verify that Administrators have full control. Change this back when you are finished with 
these steps. 

8. Quit Regedt32.exe, and then start Regedit.exe. 

9. Locate the following registry key: 

HKEY_LOCAL_MACHINE\SYSTEM\Mounted Devices 

10. Find the drive letter you want to change to (new). Look for "\DosDevices\C:". 

11. Right-click \DosDevices\C:, and then click Rename. 

Note You must use Regedit instead of Regedt32 to rename this registry key. 

12. Rename it to an unused drive letter ''\DosDevices\Z:“. 

This frees up drive letter C. 

13. Find the drive letter you want changed. Look for "\DosDevices\D:". 

14. Right-click \DosDevices\D:, and then click Rename. 

15. Rename it to the appropriate (new) drive letter "\DosDevices\C:". 

16. Click the value for \DosDevices\Z:, click Rename, and then name it back to 
”\DosDevices\D:". 

17. Quit Regedit, and then start Regedt32. 

18. Change the permissions back to the previous setting for Administrators (this should 
probably be Read Only). 

19. Restart the computer. 


Figure 3: Microsoft's instructions 


Changing the Windows System 
Drive Letter 

Sometimes Windows system drive let¬ 
ters get altered, and the Control Panel's 
Disk Management tools can't solve the 
problem because the drive has to be 
dismounted. However, it's possible to 
quickly fix this problem without dis¬ 
mounting the drive. Here's how I recently 
did so. 

A customer called and said that when 
he logged on to his Windows XP Pro 
machine, the desktop icons were there, 
but they were missing the icon artwork. 

In addition, while some of the icons still 
worked, others displayed various error 
dialog boxes. 

Using our company's remote man¬ 
agement software, I accessed his com¬ 
puter and opened Windows Explorer. I 
noticed that the system drive letter (i.e., 
the drive where Windows is located) was 
no longer C. Instead, it was D, which 
was a data storage hard drive on 
his system. 

In Control Panel, I selected 
Administrative Tools, then 
Computer Management. 

After expanding the Storage 
branch, I selected Disk Man¬ 
agement. In the Disk Manage¬ 
ment window, you can typically 
right-click the partition of interest, 
select Change Drive Letters and Paths, click 
Change, and select an available drive let¬ 
ter for the Assign the following drive letter 
option. In this case, however, I received a 
dialog box with the following message: 
Windows cannot modify the drive letter of 
your system volume or boot volume. 

After a little research, I discovered 
the Microsoft article "How to restore the 
system/boot drive letter in Windows" 
(support.microsoft.com/kb/223188). 

This article provided the steps I needed 
to correct the problem. However, even 
though Microsoft stated that the informa¬ 
tion was applicable to XP, Windows Server 
2003, and Windows 2000,1 found a few 
steps unnecessary when you're applying it 
to XP. 

Basically, "How to restore the 
system/boot drive letter in Windows" 
tells you how to do a little shell game 
with the OS drive letter. (The article 
assumes that C is the real OS drive or 


partition and D is a 
real non-OS drive 
or partition on your 
system.) First, you 
temporarily rename 
the non-OS drive 
(the one that's 
incorrectly labeled 
as C) to Z. Next, you 
rename the real OS 
drive letter (the one 
that's incorrectly 
labeled as D) to C. 

Finally, you rename 
the non-OS drive 
letter from Z to the 
correct letter of D. 

The HKLM\ 

SYSTEMXMounted- 
Devices registry key 
is used to rename the OS and non-OS 
drives. In a nutshell, the article tells 

you to log on as an Administra¬ 
tor, use regedt32 to change 
this key's permissions 
to Full Control for the 
Administrators security 
group if necessary, use 
regedit to rename the 
drives, then use regedt32 
to change the 
permissions 
back. (See 
Figure 3.) 

However, note that: 

• In XP and later, regedt32 redirects to 
regedit. So, if you're using XP or later, 
you can open regedit in step 3 and use 
it throughout, which makes steps 8 
and 17 unnecessary. (If you're run¬ 
ning Win2K Pro, you still need to use 
regedt32.) 

• Although the "How to restore the 
system/boot drive letter in Windows" 
article doesn't mention it specifi¬ 
cally, if the problem PC is in a domain 
environment, you should log on as the 
domain's administrator (or a mem¬ 
ber of the Domain Administrators 
security group). If the problem PC is in 
a nondomain (i.e., local) environment, 
you should log on as the local PC's 
administrator (or user who is a member 
of the Local Administrators security 
group). Otherwise, the permissions will 
be greyed out and you won't be able 


to change them if necessary. If you do 
change the permissions, remember to 
return the permissions to the previous 
setting for Administrators, as step 18 
instructs you to do. 

After I applied this procedure on the 
customer's PC, the desktop icons had 
their artwork back and all the desktop 
icons launched their respective programs 
without error. I then ran both a full system 
virus scan and Windows Defender scan, 
but nothing turned up. I suspect that 
some form of malware or a browser script 
sneaked through the antivirus defense 
line and perpetrated this registry-based 
annoyance. 

If malware or something else wreaks 
havoc with the Windows system drive 
letters on users' PCs, you might want 
to try this procedure. Note that you 
need to be comfortable with using 
regedit and possibly regedt32. Before 
you attempt to implement it, though, I 
strongly recommend that you manually 
create a restore point. The Microsoft 
article "How to back up and restore the 
registry in Windows XP" (support 
.microsoft.com/kb/322756) provides 
instructions and even a help guide. The 
article also provides links to instruc¬ 
tions on how to back up the registry in 
Windows 7.0 and Windows Vista. ^ 
—Bret A. Bennett, IT consultant, 
West Palm Beach 
InstantDoc ID 125263 
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Q: How can a Windows Remote 
Desktop client verify the identity 
of a Windows Server 2008 Remote 
Desktop Session Host server to 
ensure it doesn't set up RDP con¬ 
nections with a rogue server? 

A: By default, RDP doesn't provide server 
authentication to verify the identity of a 
remote desktop session host server. Starting 
with Windows Server 2003 SP1, you can 
enhance the security of RDP sessions to a 
Windows server by using SSL/Transport 
Layer Security (TLS) for server authentica¬ 
tion. To do so, your Remote Desktop Session 
(RDS) Host server (orTerminal Services 
server in pre-Windows Server 2008 versions) 
must have an X.509 server authentication 
certificate and be configured correctly. 

On an RDS Host (orTerminal Services) 
server, you can configure SSL/TLS from the 
Remote Desktop Session Host Configura¬ 
tion MMC snap-in. In the Connections 
container, right-click the RDP-TCP connec¬ 
tion object and click Properties. Then, on 
the General tab, select the SSL (TLS 1.0) 
Security Layer. You can then either select 
a server authentication certificate that's 
already installed on the RDS Host server 
using the Select button or click the Default 


button to generate a self-signed certificate. 

If you select SSL (TLS 1.0), SSL/TLS will be 
used for server authentication and also for 
encrypting all data transferred between the 
RDP server and client. 

—Jan De Clercq 

InstantDoc ID 125073 

Q: How do you globally change 
Conversation View in Outlook 2010? 

Al There isn't anything revolutionary in the 
latest refresh of Microsoft's famous Office 
PIM client, although there are several fea¬ 
ture improvements in Outlook 2010. One 
addition that has received a mix of praise 
and declarations of "it's about time!" is the 
new Conversation View in mail folders. 

When you install Outlook 2010, the 
default mail folder view is set to Conversa¬ 
tion, sorted by date. Many people have 
waited a long time for this view, so I recom¬ 
mend giving it a try. However, that doesn't 
mean it is the best view for everyone 
because we all use Outlook differently. I 
used Conversation View for a full month, 
and found that I prefer the linear, serial 
display of my mail folders. So, how do you 
turn off the Conversation View and how do 
you do it for all mail folders at once? 

In Outlook 2010, you can toggle the 
Conversation View on and off for the current 
folder from one of three places. The primary 
default view options are shown in the 
Arrangement panel in the Office Ribbon. 
Select the View tab while in a mail folder 
and look in the Arrangement panel. Select¬ 
ing an alternate view icon in the Arrange¬ 
ment panel removes the Conversation View. 

Conversation View is significant enough 
that Microsoft gave it its own panel in the 
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Q. How can I convert a Hyper-V 
virtual machine (VM) to a 
Windows Virtual PCVM? 

A. IftheVM is running a 64-bit OS, you 
can't convert the VM to Windows Virtual 
PC, because Windows Virtual PC doesn't 
support 64-bit guest OSs. If the VM is run¬ 
ning a 32-bit OS, you should uninstall the 
Hyper-V integration components, run 
Sysprep to fix any hardware differences, 
and then move the VHD to Windows Vir¬ 
tual PC. You can then install the Windows 
Virtual PC integration tools. 

—John Savill 

InstantDoc ID 125180 

Ribbon labeled Conversations (this is a 
change in panel organization from the beta 
versions to the RTM version of Outlook 
2010). The first item in the Conversations 
panel is the Show as Conversations check 
box. You can use this check box to toggle 
the Conversation View on and off, regard¬ 
less of the other Conversation View options 
that may already be selected and in place. 

You can also change the Conversation 
View by right-clicking the bar immediately 
above the messages and below the search 
bar on a default installation, and then using 
the context menu. The view options listed 
in the context menu mirror the small icons 
in the Arrangement panel of the Office 
ribbon. In the context menu, click Show as 
Conversations to toggle it on and off. 

Using any of these options you can 
change the view of the current folder. In 
the RTM version, Microsoft also added a 
pop-up option. When you change to or 
from the Conversation View in a Mail folder, 
the pop-up will ask if you want that change 
applied to all folders or just the current 
folder. Microsoft also included the option 
of applying this change to selected folders. 
On the Ribbon, access this option from 
View tab, in the Current View panel. Open 
the Change View drop-down menu, and 
click Apply Current View to Other Mail Fold¬ 
ers. This step opens a new window in which 
you can select the individual folders you 
want view changes applied to, including 
ones in other accounts within the profile. 
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I selected all of them to remove the 
Conversation View completely. You might 
want to change only specific folders. We 
all use Outlook a little differently, and 
thankfully, Microsoft provides us with many 
different ways to use it. 

— William Lefkovics 

InstantDoc ID 125185 

Q: Is it true that DirectAccess only 
works with IPv6? 

A: Yes and no. DirectAccess gives access 
from Windows 7 machines to a corporate 
intranet without the need for manual VPN 
connections or any action by the end user. 
It's one of the key new features of Windows 
7. DirectAccess is built primarily on IPv6 
and IPSEC, which means your Windows 7 
client must be IPv6-enabled and the target 
server you want to connect with also has to 
be IPv6 enabled. 

Many of you will be thinking, "but I 
connect over the Internet, which is IPv4, 
so does that mean DirectAccess doesn't 
work over the lnternet?"While DirectAc¬ 
cess is built on IPv6, it uses 6to4 tunnel¬ 
ing encapsulation if the user has a public 
IPv4 address or Teredo if the user has a 
private IPv4 address located behind a 
Network Address Translation device. If, for 
some reason, even 6to4 or Teredo won't 
work, it will use IP-HTTPS, which encapsu¬ 
lates the IPv6 in HTTPS packets, allowing 
communication even if the user is behind 
a restrictive firewall. This means Direct- 
Access works fine over IPv4 networks. 

So you need IPv6 support on either 
end of the communication, but the 
network in the middle can be IPv4. If you 
have a number of IPv4-only servers in 
your corporate environment you need to 
communicate with, you can do one of the 
following: 

• Enable the host for IPv6. 

• Use an alternate technology to connect 
to the corporate network, such as 
traditional VPN. 

• Use an IPv6/IPv4 translator, a NAT-PT/ 
NAT64 device. The Microsoft solution 
is Forefront Unified Access Gateway, 
which allows DirectAccess based com¬ 
munication with IPv4-only servers on 
the intranet. 

—John Savill 

InstantDoc ID 125178 


Q: How can I reset the local adminis¬ 
trator password on several worksta¬ 
tions from the command line using 
as few commands as possible? 

At You can use the Syslnternals Pspasswd 
tool, which is part of the PsTools download, 
to reset the local administrator password 
on multiple machines remotely. Pspasswd 
uses the Windows password reset APIs to 
deal with a password reset—it doesn't send 
passwords in clear text over the network. 

To reset the administrator account pass¬ 
word on a single computer, use the syntax 

pspasswd \\<computer name> <local 
administrator account name> 
"<New_password>" 

To reset the administrator account pass¬ 
word on multiple computers, use 

pspasswd \\<PCl_name>, <PC2_name>, 
<PC3_name>, <PC4_name> <Local_ 
administrator_accountname> 
"<New_password>" 

To reset the administrator account pass¬ 
word on multiple computers using a text 
file named myfile.txt that lists the computer 
names, use 

pspasswd \\@<myfile.txt> 

<Local_administrator_ 
accountname> "<New_ 
password>" 

You must run Pspasswd with 
an account that has admin¬ 
istrative rights on the target 
computers. You can specify 
those credentials using the 
command-line switches -u (for 
the account name) and -p (for 
the password). 

—Jan De Clercq 

InstantDoc ID 125192 

Q: How do I sort 
accounts in Outlook's 
Navigation pane? 

At Microsoft Outlook allows 
you to have multiple accounts 
within a single Outlook profile. 

Outlook 2010 even allows you 


to have multiple Exchange accounts in the 
same profile.The delivery destination for new 
content is specific to each account. You can 
have all accounts deliver to a single location, 
like an Exchange mailbox or a PST file, or you 
can have each account deliver new content 
to its own unique destination. PSTs are also 
not tied to the machine or Outlook installa¬ 
tion used in their creation. When closed, a 
PST can be opened by other installations of 
Microsoft Outlook or with a number of tools 
that adhere to PST data standards. When 
you open a PST file, you may have a single 
account or many accounts, depending on 
whether multiple accounts were configured 
to deliver content there. 

These accounts are listed in the Naviga¬ 
tion pane when in Mail view or when the 
view is set to Folder List. The top level of the 
PST file hierarchy can be assigned a name, 
typically chosen when the PST file is created. 
Sometimes users find that the accounts 
listed in the Navigation pane are not in the 
preferred order. Outlook sorts these account 
alphabetically by name.That name is config¬ 
urable. To change the order, just change the 
names to adhere to alphabetical sequence. 

Figure 1 shows an Outlook 2007 
installation with four accounts created and 
configured.To move the account called 
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Figure 1: Multiple Outlook Accounts 
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Figure 2: Rearranged Outlook Accounts 


MMG to the bottom, you need to change its 
name to reflect a later position in the alpha¬ 
bet than any of the other names. To change 
the name, right-click on the name in the 
navigation view and select Properties. Near 
the bottom of the properties window, click 
on the Advanced button. Now, near the top 
of the Advanced Properties window, you 
can change the name of the account. For 
this example, I changed it to Web—MMG. 
Figure 2 shows the net result of that change 
with the updated order of the presentation 
of the actual accounts. 

When I open archived PSTs, I prepend 
the account name within the PST with 
"z_"to present them as the last account 
in the navigation pane. This tip can be 
helpful where you have many accounts 
opened simultaneously or when you 
open many additional PSTs throughout 
the day. 

—William Lefkovics 

InstantDoc ID 125183 

Q: How can I publish a Certificate 
Revocation List (CRL) or Certifica¬ 
tion Authority (CA) certificate to an 
Active Directory (AD) Lightweight 
Directory Services (LDS) instance? 


certificates and CRLs in AD. But if you're 
using a different LDAP server, such as an 
AD LDS instance, you must publish the 
certificates and CRLs manually.The easi¬ 
est way to do this is to use the Certutil 
command line utility. 

To manually publish a certificate to 
an AD LDS instance, use the command 


certutil -addstore 

"1 dap://<Se rve r_name> 

/<Distinguished_Name>? 
CACertificate?base? 

Obj ectClass=Ce rtification 
Authority" <Cert_file_name> 

For example, 

certutil -addstore "ldap: 

//myadldsse rver.mycompany 
.net/CN=myCA,CN=Ce rtification 
Authorities,CN=Public Key 
Services,CN=Services,CN= 

Configu rati on,DC=mycompany, 
DC=net?CACe rtificate?base? 

Obj ectClass=Certification 
Authority" mycacertificate.cer 

To manually publish a CRL to an AD LDS 
instance, use the command 

certutil -addstore "ldap://<Server_ 
name>/<Distinguished_Name>? 

CertificateRevocationList?base? 
Obj ectclass=CRLDist ribution Point" 
<CRL_fi1e_name> 

In the above commands, you must 
replace <Server_name> with the name 
of the AD LDS server, <Distinguished_ 
Name> with the LDAP path you've used to 
publish CRLs in the CA configuration (this 
is a CRL Distribution Point), <CRL_file_ 
name> with the file name of the CRL you 
want to publish, and <Cert_file_name> 
with the file name of the certificate you 
want to publish. 

—Jan De Clercq 

InstantDoc ID 125193 

Q: Which edition of Windows 
Server 2008 R2 should I buy for my 
Hyper-V server? 


Al A Windows Enterprise CA (that is, an AD- 
integrated CA) automatically publishes its 


Al The decision about whether to 
purchase the Standard, Enterprise, or 


Datacenter edition of Windows Server 
2008 R2 should depend on two major 
factors: the number of virtual machines 
(VMs) you intend to run and your 
high availability requirements. High 
availability is only available with the 
Enterprise and Datacenter SKUs, so if 
you want clusters and features like Live 
Migration, you have to use Enterprise or 
Datacenter edition. 

The next factor is the number of VMs. 
Standard Edition supports one physical 
OS and one virtual OS (VM), Enterprise 
supports one physical OS and four virtual 
OSs, and Datacenter supports one physical 
OS and an unlimited number of virtual OSs. 
Note that Standard and Enterprise are pur¬ 
chased on a per-server basis while Data¬ 
center is purchased on a per-processor 
basis, and at least two processors (sockets) 
must be licensed on each server with 
Datacenter. 

You can assign multiple licenses to 
a single physical server. For example, I 
could purchase two copies of Enterprise 
Edition and assign them to a single physi¬ 
cal server, which would allow me to run 
eight VMs. I could also buy eight copies of 
Standard Edition or just two of Datacenter 
(I need two because two is the minimum 
number purchasable with Datacenter— 
two sockets). 

Generally, the following is a good 
guideline for the most cost effective SKU 
to buy, but remember to consider future 
growth. 

• Standard Edition is most cost effi¬ 
cient for one to three VMs per server. 
Note that if you run three VMs, you'll 
need to buy three copies of Standard 
Edition. 

• Enterprise Edition is most cost efficient 
from four VMs on a server up to four 
VMs per processor. For example, if I 
have a dual processor box and want to 
run eight VMs, I could buy two copies of 
Enterprise edition. 

• Datacenter Edition is most cost 
efficient for more than four VMs per 
processor, because you can run an 
unlimited number of VMs per proces¬ 
sor and license each processor. While 
Datacenter is more expensive than 
Enterprise when running four VMs per 
processor, you have more scalability 
and support for future growth, so you 
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could, potentially, adopt Datacenter 
over Enterprise when you consider 
future requirements. Remember that 
you have to license all processors in 
the server. 

If you're using the maximum number 
of virtual instance rights, you can't run 
any workloads other than Hyper-V in the 
parent partition. If you run additional 
workloads in the parent partition (which 
isn't recommended), you lose one of your 
virtual instance rights. So if you're running 
Enterprise Edition and you're also running 
a file and print server on the Hyper-V 
host, you can only run three virtual OS 
instances. 

When you purchase a SKU of Windows 
Server, you have the right to run that 
version and any lower version in your 
virtual environments. For example, if I buy 
Datacenter Edition, I can run Datacenter, 
Enterprise, or Standard in my VMs. If I buy 


Enterprise edition, I can run Enterprise or 
Standard in my VMs. 

Finally, remember you can't move these 
virtual OS environment rights between 
servers. If you want to run four VMs on each 
server and have the ability to live migrate 
them to another server (which would 
mean it would run eight VMs), you need 
two licenses of Enterprise on the target 
server (or Datacenter). This is why when 
you're using Live Migration and clusters, it's 
normally advised to purchase Datacenter. 

—John Savill 
InstantDoc ID 125210 

Q: I'm receiving an error when try¬ 
ing to Sysprep my Windows Vista or 
Windows 7 box. How can I see what 
happened? 

A: When you get an error in Sysprep, 
check the %systemroot%\System32\ 
sysprep\Panther folder for the file 


setuperr.txt. Examine the failure 
then search for the exact error in the 
Microsoft Knowledge Base (or I just used 
Bing). 

A common problem I've seen relates 
to an error executing drmv2clt.dll, which 
is the digital rights management com¬ 
ponent. Make sure no Windows Media 
Player components are running when 
you run Sysprep. The easiest way is to 
launch Task Manager, select processes, 
then enable Show processes from all 
users. Look for processes starting with 
wmp and end them. My problem was 
wmpnetwk.exe, which, once ended, 
allowed SYSPREP to execute with no 
problems. I also disabled the Windows 
Media Player Network Sharing Service 
to make sure there it didn't start itself 
again (which it will do if you just stop the 
process). ^ 

—John Savill 
InstantDoc ID 125176 
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L ive migration is probably the most important technology that Microsoft added to Hyper-V in 
Windows Server 2008 R2. It enables virtual machines (VMs) to be moved between Hyper-V 
hosts with no downtime. Using live migration, you can migrate all VMs off the Hyper-V host 
that needs maintenance, then migrate them back when the maintenance is done. In addi¬ 
tion, live migration enables you to respond to high resource utilization periods by moving 
VMs to hosts with greater capacities, thereby enabling the VM to provide end users with high 
levels of performance even during busy periods. 

Live migrations can be manually initiated, or if you have System Center Virtual Machine Manager 
2008 R2 and System Center Operations Manager 2007, you can run automated live migrations in 
response to workload. You need to complete quite a few steps to set up two systems for live migration, 
and I'll guide you through the process. First, I'll explain how live migration works. Then I'll cover some 
of the hardware and software prerequisites. Finally, I'll walk you through the important points of the 
Hyper-V and failover clustering configuration that must be performed to enable live migration. 


Move VMs 
between 
Hyper-V 
hosts with no 
downtime 

by Michael Otey 


How Live Migration Works 

Live migration takes place between two Hyper-V hosts (see the diagram in Figure 1). Essentially, the VM 
memory is copied between the hosts. After the memory is copied, the VM on the new host can access 
its virtual hard disk (VHD) files and continue to run. Both hosts access shared storage where the VHD 
files are stored. When you initiate a live migration, the following steps occur: 

1. A new VM configuration file is created on the target server. 

2. The source VM's initial memory state is copied to the target. 

3. Changed memory pages on the source VM are tagged and copied to the target. 

4. This process continues until the number of changed pages is small. 

5. The VM is paused on the source node. 

6. The final memory state is copied from the source VM to the target. 

7. The VM is resumed on the target. 

8. An Address Resolution Protocol (ARP) is issued to update the network routing tables. 

Requirements for Live Migration 

On the hardware side, you need two x64 systems with compatible processors for live migration. It's best 
if the host processors are identical, though it's not required. However, they do need to be from the same 
processor manufacturer and family—you can't perform a live migration when one host has an AMD 
processor and the other host has an Intel processor. Learn more about Hyper-V processor compatibility in 
the Microsoft white paper "Virtual Machine Processor Compatibility Mode" (download.microsoft.com/ 
download/F/2/l/F2146213-4AC0-4C50-B69A-12428FF0B077/VM%20processor%20compatibility%20 
mode.doc). 

In addition, each of the servers should be equipped with at least three NIC cards, running at 1GHz: 
one for external network connections, one for iSCSI storage connectivity, and one for node management. 


Windows IT Pro 


www.windowsitpro.com 


We're in IT with You 


JULY 2010 23 













■ LIVE MIGRATION 


Virtual Virtual 

Machine Machine 



Network 

Storage 


Figure 1: Live Migration architecture 


Ideally, you'd have another NIC dedicated 
to the live migration, but the live migration 
can also occur over the external network 
connection—it will just be a little slower. It's 
important to note that if you're implement¬ 
ing a server consolidation environment, you 
will want additional NICs for the network 
traffic of the VMs. 

On the software side, all the nodes 
that take part in live migration must have 
Server 2008 R2 x64 installed. This can be 
the Standard, Enterprise, or Datacenter 
editions. Live migration is also supported 
by the Hyper-V Server 2008 R2 product. In 
addition, the Hyper-V role and the failover 
cluster feature must be installed on all 
servers participating in live migration. 

You also need shared storage, which can 
be either an iSCSI SAN or a Fibre Channel 
SAN. In this example, I used an iSCSI SAN. 
Be aware that the iSCSI SAN must support 
the iSCSI-3 specifications, which includes 
the ability to create persistent reservations, 
something that live migration requires. Some 
open-source iSCSI targets such as OpenFiler 
don't have that support at this time. If you're 
looking to try this for a local test and don't 
want to buy an expensive SAN, you might 
want to check out the free StarWind Server 
product atwww.starwind.com. 

Failover Cluster Networking 
Configuration 

Failover clustering is a requirement for live 
migration. You can live-migrate VMs only 
between the nodes in the failover cluster. 
The first step in creating a failover cluster 
is to configure the networking and storage. 
You can see an overview of the network 
configuration used to connect the Windows 
servers in the cluster to the external network 
and to the shared storage in Figure 2. 


In Figure 2 the 
servers are using the 
network with the sub¬ 
net of 192.168.100.xxx 
for client connections. 
The iSCSI SAN is run¬ 
ning on an entirely 
separate physical 
network, which was 
configured using 
the 192.168.0.xxx IP 
addresses. You can 
use different values 
for either of these IP 
address ranges. I selected these values to 
more clearly differentiate between the two 
networks. Ideally, you would also have 
additional NICs for management and an 
optional live migration connection, but 
these aren't strictly required. Live migration 
can work with a minimum of two NICs in 
each server. 

Storage Configuration 

I used a LeftHand Networks iSCSI SAN for 
Hyper-V live migration as well as a test SQL 
Server implementation. On the iSCSI SAN 
I created four LUNs. One LUN was sized at 
500MB to be used for the cluster quorum. 
Another was sized at 1024GB to be used for 
10 VMs. Two other LUNS were for the test 
SQL Server implementation and consisted 
of a 200MB LUN for the Distributed Trans¬ 
action Coordinator and a 500GB LUN for 
SQL Server data files. 

After creating the LUNs, I configured the 
iSCSI Initiator on both the Windows Server 


nodes. To add the iSCSI targets, I selected 
the Administrative Tools, iSCSI Initiator 
option, then on the Discovery tab I chose the 
Discover Portal option. This displayed the 
Discover Portal dialog box, where I entered 
the IP address and iSCSI port of the SAN. 
In my case, this was 192.168.0.1 and 3260, 
respectively. 

Next, in the Connect to Target dialog 
box, I supplied the target name of the iSCSI 
SAN. This name came from the properties of 
the SAN and varies depending on the SAN 
vendor, the domain name, and the names 
of the LUNs that are created. I selected the 
option Add this connection to the list of 
Favorite Targets. After completing the iSCSI 
configuration, the iSCSI Initiator Targets tab 
was populated with the LUNs. 

Finally, using Disk Administrator I 
assigned drive letters to the LUNs. I opened 
Disk Management and used Q for the quo¬ 
rum, R for DTC, S for SQL Server, and V for 
the VMs. You need to make the assignments 
on one node, then bring the disks offline and 
make identical assignments in the second 
node. Figure 3 shows the completed Disk 
Management disk assignments for one of 
the nodes. 

Adding the Hyper-V Role and 
Failover Clustering Feature 

The next step is to add the Hyper-V role, 
then the failover clustering feature. You add 
both by using Server Manager. To add the 
Hyper-V role, select Administrative Tools, 
Server Manager, then click the Add Role 
link. From the Select Server Roles dialog 
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Figure 2: Networking and storage configuration 
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Figure 3: Disk management of iSCSI drives 


box, select Hyper-V, then click Next. You'll 
be prompted with Create Virtual Networks. 
This essentially creates a bridge between the 
Hyper-V VMs and your external network. 

Select the NICs that you want to use for 
your VM traffic. Be careful not to choose 
the NICs that are used for the iSCSI SAN 
connection. Click Next to complete the Add 
Role Wizard. The system then reboots. You 
need to perform this process for all of the 
nodes in the cluster. 

Next, add the failover cluster feature 
by using the Administrative Tools, Server 
Manager, Add Feature option. This starts 
the Add Features wizard. Scroll through the 
list of features and select Failover Cluster¬ 
ing. Click Next to complete the wizard. This 
process must be completed on all nodes. 

Configuring Failover Clustering 

Next, create a failover cluster. You can do 
this on any of the cluster nodes. Select 
the Administrative Tools, Failover Cluster 
Manager option to start the Failover Cluster 
Management console. Then select the Vali¬ 
date a Configuration link to start the wizard, 
which displays the Select Servers or Cluster 
dialog box. 

Enter the fully qualified names of all the 
nodes that will belong to the cluster, then 
click Next. Click Next through the subse¬ 
quent wizard screens to run the cluster 


validation tests, which 
check the OS level, the- 
network configuration, 
and storage of all clus¬ 
ter nodes. A summary 
of the test results is dis¬ 
played. If the validation 
tests succeed, you can 
continue and create the 
cluster. If there are errors 
or warnings, you can dis¬ 
play them in the report, 
correct them, and rerun 
the validation tests. 

After the validation 
tests have run, you cre¬ 
ate the cluster using the 
Create a Cluster link from 
the Failover Cluster Man¬ 
agement console. Like 
the validate option, the 
Create a Cluster option 
starts by displaying a 
Select Servers dialog box 
where you enter the names of all cluster 
nodes. Clicking Next displays the Access Point 
for Administering the Cluster dialog box. 

Here you assign the cluster a name and 
an IP address. The name and IP address 
both must be unique in the network. I 
named the cluster WS08R2-CL01 and gave 
the cluster an IP address of 192.168.100.200. 
With Server 2008 R2 you can choose to have 
the IP address assigned by DHCP, but I pre¬ 
fer to use manually assigned IP addresses 
for my server systems because it allows my 
servers to have the same IP addresses, which 
is handy for troubleshooting problems. 

Clicking Next displays the Confirma¬ 
tion screen where you review your cluster 
creation selections. You can page back and 
make changes. Click Next again to create the 
cluster. A summary screen then displays the 
configuration of the new cluster. This action 
configures the cluster on all of the selected 
clustered nodes. 

The Create Cluster wizard automatically 
selects the storage for your quorum, but it 
doesn't always choose the quorum drive 
that you want. You can check and change 
the quorum configuration by right-clicking 
the name of the cluster in the Failover Clus¬ 
ter Management console, then selecting 
More Actions, Configure Cluster Quorum 
Settings from the context menu. This dis¬ 
plays the Select Quorum Configuration 


dialog box. A wizard automatically chooses 
the best quorum type, depending mainly on 
the number of nodes in the cluster. In my 
two-node cluster, it selected the Node and 
Disk Majority quorum type. 

Next, the Configure Storage Witness 
dialog box is displayed. Here I changed the 
original value to the Q drive that I wanted 
to use as the quorum by selecting a check 
box. Clicking Next saves the cluster quo¬ 
rum changes. If you would like to know 
more about configuring Server 2008 R2 
failover clustering, see the Windows IT 
Pro website; you can start with “4 Failover 
Clustering Hassles and Howto Avoid Them," 
InstantDoc ID 103534. 

Enabling Cluster Shared Volumes 

The next step in cluster configuration is to 
enable cluster shared volumes. The cluster 
shared volumes feature lets multiple cluster 
nodes simultaneously access the shared 
storage locations, but it's not enabled by 
default. To do so, use the Failover Cluster 
Management console and right-click the 
name of the cluster at the top of the naviga¬ 
tion pane, then select Enable Cluster Shared 
Volumes from the context menu. This dis¬ 
plays the summary pane for Cluster Shared 
Volumes, which initially is blank. 

To select a shared storage location to be 
used by cluster shared volumes, click the 
Add Storage option in the Action pane. This 
displays the Add Storage dialog box. The 
storage for cluster shared volumes has to be 
visible to the cluster and it can't be used for 
other purposes. Select the box next to the 
storage location you want to use. I selected 
the V drive, which is actually a LUN on the 
LeftHand Networks SAN. Click OK to enable 
Cluster Shared Volumes for that drive. This 
also results in the creation of a mount point 
on all the cluster nodes. By default, the mount 
point is labeled C:\ClusterStorage\Volumel. 

Creating VMs on Cluster Shared 
Volumes 

At this point, failover clustering is configured 
on all the nodes in the cluster and the cluster 
shared volumes feature has been enabled, 
allowing all of the nodes to simultaneously 
access the storage. The next step is to cre¬ 
ate VMs that can take advantage of this 
infrastructure. Hyper-V VMs can be created 
using either the Hyper-V Manager or System 
Center Virtual Machine Manager. To create 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


JULY 2010 25 






























■ LIVE MIGRATION 



Figure 5: Starting the live migration 


a new VM using Hyper-V Manager, click 
the Administrative Tools, Hyper-V Man¬ 
ager option at the Start menu, then select 
New from the Action pane to start the New 
Virtual Machine wizard. Figure 4 shows 
the dialog box you will see, labeled Specify 
Name and Location. 

In Figure 4, you can see that the VM will 
be named vWS08-SQL01. Also note that the 
value for the VM location has been set to 
the cluster shared volumes mount point: 
C:\ClusterStorage\Volumel. This causes the 
VM configuration files to be created on the 
shared storage. 

Click Next to assign RAM to the VM. 
Click Next again to select the network con¬ 
nection for the VM. Assigning a network 
for the VM is optional. However, if you do 
select an external network, be sure that the 
external network connection is named the 
same on all of your Hyper-V nodes. In my 
case, I used the external network name 
of External Virtual Network on all of my 
Hyper-V cluster nodes. 

Click Next to display the Connect Vir¬ 
tual Hard Disk dialog box. Here, again, it's 
important to create the VHD files on the 
cluster shared volumes storage. Initially, 
the dialog displays the Hyper-V Manager 
default values for name and location. I 
used the value of vWS08-SQL01.vhd for 
the VHD file and changed the location to 
C:\ClusterStorage\Volumel. Click Next to 
specify the guest OS installation options. 
All guest OSs including Linux can take 
advantage of live migration. The rest of the 
process for creating a VM is exactly like 
creating a normal VM. 

When you complete the New Virtual 
Machine wizard, the VM will be created 
on the cluster shared volumes storage. The 
next step is to start the VM and install the 
guest OS and the application that you want 
to run on the VM. 


Enabling VMs for 
Live Migration 

Open the Failover 
Cluster Management 
console, then navi¬ 
gate to the Services 
and Applications 
node under the clus¬ 
ter name and right- 
click to display the 
context menu. Select 
Configure Service or 
Application to start 
the High Availability 
wizard. On the Select 
Service or Applica¬ 
tion dialog box, select 
Virtual Machine from 
the list of services displayed, then click Next. 
This displays the Select Virtual Machine 
dialog box. 

Scroll though the list of VMs until you 
find the one you want to enable for live 
migration. I selected the VM vWS08-SQL01 
created earlier. The VM can't be running 
while you perform this operation—it must 
be in the Off or Saved state. 

Select the check box in front of the 
VM name, then click Next until you com¬ 
plete the wizard. A confirmation screen 
is displayed and the summary dialog box 
reports the status. If you see "Success" in the 
description, then the VM has been success¬ 
fully enabled for live migration. If not, you 
need to review the VM properties and make 
sure all of the VM assets can be accessed on 
all of the nodes in the cluster. 

Ready, Set, Migrate! 

That's all there is to configuring the Hyper-V 
live migration environment. At this point, you 
can initiate a live migration using the Failover 
Cluster Manager. To start a live migration, 
expand the Services and Applications node, 
then select the VM node 
displayed beneath it. 
This displays the sum¬ 
mary pane, which shows 
the VMs that have been 
enabled for clustering, 
along with their current 
status, which Figure 5 
shows. 

In Figure 5, you can 
see that VM vWS08- 
SQL01 is running and 


that the current owner is node WS08R2-S1. To 
initiate a live migration, go to the Action pane 
and select the Live migrate virtual machine 
option shown in the upper third portion of 
the Action pane. A menu flyout prompts 
you for the name of the target node. In my 
example, the menu flyout would show 1 - 
Live migrate to node WS08R2-S2. You then 
click that option to start the live migration. 

The running status is displayed in the 
summary window until the live migration 
finishes. The length of time it takes to com¬ 
plete depends on the size and activity of the 
VM, as well as the speed and activity of the 
network connection between the Hyper-V 
host systems. Typically, my network live 
migrations take between about 10 seconds 
and a minute. When the live migration 
has been completed, the summary pane is 
redisplayed and the Current Owner value is 
updated with the name of the target node. 

The Virtual Promised Land 

Live migration addresses the issues of 
planned host downtime and lays the foun¬ 
dation for the dynamic data center. Although 
there are quite a few steps in the process, if 
you carefully navigate the critical points in 
the process, you will reach the promised 
land of Hyper-V live migration. ^ 

InstantDoc ID 125262 


Michael Otey 

(motey@windowsitpro.com) is 
technical director for Windows IT 
Pro and SQL Server Magazine and 
author of Microsoft SQL Server 
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Figure 4: Creating the VM on the cluster shared volumes storage 
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by Rhonda Layfield 


Y our testing for Windows 7 is probably com¬ 
plete by now. You know which applications 
and drivers will run properly and which 
won't. But more importantly, you've found 
out that some of your existing hardware 
won't run Windows 7. In this article, I'll 
walk you through deploying Windows 7, complete with 
applications, drivers, and packages, to a new, bare-metal 
machine. I'll also explain all your options so you can 
deploy everything in a way that best suits your environ¬ 
ment. And don't forget that imaging solutions aren't 
built for one-time use just on new machines—always 
keep re-imaging in mind as well. 

This article assumes you've installed Microsoft 
Deployment Toolkit (MDT) 2010 and its prerequisites 
and created a deployment share as described in “XP to 
Windows 7 Migration with Microsoft Deployment Tool¬ 
kit 2010," InstantDoc ID 103607. All steps in this article 
are performed in MDT's Deployment Workbench (DW) 
snap-in. After MDT is installed, you launch the DW by 
selecting Start, All Programs, Microsoft Deployment 
Toolkit, Deployment Workbench. 


Step 1: Import an OS into MDT 2010 

You need to import an OS into MDT's DW before deploy¬ 
ing it to your target machines. The supported OSs to 
deploy are Windows Server 2008 R2, Windows Server 2008 
(all service packs), Windows Server 2003 R2, Windows 7, 
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PROBLEM: 

You need to deploy an OS- 
complete with applications, 
drivers, and packages—to a 
computer that's connected to 
your network. 

SOLUTION: 

Use Microsoft Deployment 
Toolkit (MDT) 2010 to create a 
deployable and easily managed 
image. 
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MDT 2010, a deployment share 
created as described in "XP 
to Windows 7 Migration with 
Microsoft Deployment Toolkit 
2010," InstantDoc ID 103607 

SOLUTION STEPS: 

1. Import an OS into MDT 2010 

2. Create folders to organize 
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3. Add MDT components 

4. Create an MDT task sequence 

5. Customize your WinPEs and 
update the deployment share 

6. Deploy the OS to the client 
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Windows Vista SP1, and Windows XP SP3. 
The steps for importing an OS are the same 
regardless of the OS. In the DW, expand the 
Deployment Shares node, then expand the 
node for your deployment share; if you're 
using the deployment share you created 
by following the steps from the previously 
mentioned “XP to Windows 7" article, your 
deployment share should be called MDT 
Deployment Share (F:\DeploymentShare). 
If for some reason you've closed the deploy¬ 
ment share and need to re-open it, right-click 
the Deployment Shares node, select Open 
Deployment Share, then navigate to your 
deployment share. 

To import an OS, right-clickthe Operating 
Systems node and select Import Operating 
System, which launches the Import Operat¬ 
ing System Wizard. Follow these steps in the 
wizard: 

1. The OS Type page offers three 
choices, as Figure 1 shows. The Full set of 
source files option requires an OS CD, DVD, 
or equivalent (e.g., a copy of a CD or DVD 
in a local folder). The Custom image file 
option lets you import a .wim image you've 
created. If you're importing a custom 
image, you need to specify where the OS's 
setup files reside. The Windows Deploy¬ 
ment Services images option lets you import 
all OS images from a Windows Deployment 
Services (WDS) server. To specify a WDS 
server, both NetBIOS and Fully Qualified 
Domain Names (FQDNs) are acceptable. 
You can't select specific images; it's all or 
nothing. For this example, select Full set of 
source files , then click Next. 

2. On the Source page, click the Browse 
button and navigate to a Windows 7 DVD 
or equivalent. 


3. The Destination page prompts you 
to enter the name for the folder in which 
you'd like to store this OS. The folder will 
be created in your deployment share's 
Operating Systems folder. For example, 
mine is at F:\DeploymentShare\Operating 
Systems. Then click Next. 

4. The Summary page displays your 
settings. Review your choices; to make any 
changes, click the Previous button until 
you're back on the page you need to change. 
If all your settings are correct, click Next. 

5. The Progress page appears and dis¬ 
plays each step required to import an OS. 
When the import is complete, the Progress 
page disappears and the Confirmation 
page appears. Click Finish. 

Importing an OS can take a while, 
depending on the size of the OS and the 
speed of your server. The OS is displayed in 
the DW under the Operating Systems node 
when the import is complete. 

Step 2: Create Folders to Organize 
the DW 

MDT 2010 is the first version of MDT that 
lets you organize components in the DW. 
Why is this so cool, you might ask? When 
you added components to past versions 
of MDT, they were all dumped into one 
container—well, one container for all appli¬ 
cations, another for packages, and a third 
for out-of-box drivers. It was difficult to 
tell which drivers belonged to Dell, which 
belonged to HP, and so forth. Now, it's a 
snap. To create a folder, follow these steps: 

1. Right-click the node in which you'd 
like to create the new folder and select New 
Folder. 



Figure 1: Choosing the type of OS in the Import Operating System Wizard 


2. On the General Settings page, give 
the new folder a name and description, 
then click Next. 

3. On the Summary page, review your 
settings, make any changes if necessary, 
then click Next. 

4. When the Confirmation page 
appears, click Finish. 

You can cut and paste from one folder 
to another by right-clicking the components 
you want to move and selecting Cut. Then 
navigate to the folder you want to move the 
components into, right-click in the target 
folder, and select Paste. You might have to 
press F5 to refresh your screen to see that the 
components were deleted from their original 
location. If you want the component in more 
than one folder, you can use Copy and Paste. 

Step 3: Add MDT Components 

You need to import into the DW your appli¬ 
cations, drivers, and packages that you want 
included with the OS installation. To import 
an application, right-click the node in the 
DW where you want to import the applica¬ 
tion and select New Application. Then, in 
the New Application Wizard, follow these 
steps: 

1. The Application Type page gives you 
three choices. The Application with source 
files option lets you deploy an application 
via its source files. The Application without 
source files or elsewhere on the network 
option lets you specify a command to run 
on the target machine or you can enter 

a Universal Naming Convention (UNC) 
path where the application resides (e.g., 
\\ServerName\SharedFolderName ). The 
Application bundle option lets you define 
a list of applications to be installed and the 
order in which they should be installed. 
Choose Application with source files, then 
click Next. 

2. On the Details page, fill in the fields 
for Publisher, Application Name (this is 
the name that appears in the DW; you can 
name it whatever you like), Version, and 
Language of the application, then click 
Next. 

3. On the Source page, click the Browse 
button and navigate to the folder where 
you've stored your application source files, 
then click Next. 

4. The Destination page lets you enter 
the name of a new folder to store the 
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application—this folder should not already 
exist. Click Next. 

5. Figure 2 shows the Command 
Details page, which requires the com¬ 
mand line that performs a quiet installa¬ 
tion of the application. Applications with 
.exe file extensions can typically be run by 
placing cmd /c in front of the application 
executable like this: 

cmd /c wrdviewer.exe 

To run that same command silently, you'll 
need to add a switch such as /q, /qn, 
/quiet, or /verysilent. But which one? 

That's the point—every application has 
its own unique switches. The best website 
for help with installing applications is Bob 
Kelly's AppDeploy.com—it really rocks! 

For .msi applications (or an .exe that 
contains an embedded .msi application), 
you'll want a command line that resembles 
this: 

msiexec /i Xml Notepad.msi 

To run the same command silently and 
suppress the application from rebooting, 
you would use 

msiexec /i Xml Notepad.msi /qn 
/norestart 

Applications should never be allowed to 
restart the target machine because MDT 
will lose control of the deployment and the 
installation will fail. Switches are applica¬ 
tion-dependant with .exe applications, and 
.msi applications are no different. 


The working directory is how the target 
machine finds the source files needed to 
install the application. The path is 
.\Applications\XMLNotepad. The dot 
(.) represents the root of the deployment 
share. If you accepted the default set¬ 
tings when creating your deployment 
share, the root would be \\ServerName\ 
DeploymentShare$. Within the root, you'll 
find the Applications folder and then the 
folder you created earlier to store your 
application. Click Next. 

6. On the Summary page, review your 
choices, make changes if necessary, then 
click Next. 

7. When the Confirmation page 
appears, click Finish. 

Next it's time to import out-of-box driv¬ 
ers. Driver management is much easier with 
the new hierarchical folder structures you 
can create in MDT 2010. If you've already 
imported drivers, you can cut or copy and 
paste them into any folder. Before importing 
your drivers, create a folder for each type. 
For example, I've copied my Dell drivers into 
C:\Dell Drivers along with their accompany- 
ingfiles (.inf, .sys, and catalog files). Ifyou want 
to organize your drivers by manufacturer and 
model, you'll need to create a folder for each 
manufacturer and model. Then in the DW, 
create a similar folder structure, although the 
names of the folders don't have to match. 

To import drivers, right-click the folder 
you'd like to import the drivers into and 
select Import Driver. Follow these steps in 
the Import Driver Wizard: 

1. On the Specify Directory page, 
click Browse and navigate to the folder 



Figure 2: Entering a command for quiet installation in the New Application Wizard 


where you stored your drivers, then 
click Next. 

2. The Summary page is displayed. 

Click Next, and when the Confirmation 
page appears, click Finish. 

Finally, you need to import OS packages. 
The term package includes OS patches and 
language packs. First, you'll need to download 
your packages from Microsoft and store them 
locally (e.g., C:\Packages). In the DW, right- 
click the Packages node (or a folder you've 
created beneath the Packages node), and 
choose Import OS Packages. In the Import 
Packages Wizard, perform these steps: 

1. On the Specify Directory page, click 
Browse and navigate to the folder where 
you've stored the downloaded packages 
(.cab or .msu files), then click Next. 

2. The Summary page is displayed. 

Click Next, and when the Confirmation 
page appears, click Finish. 

Step 4: Create an MDT Task Sequence 

A task sequence is a list of tasks that are 
performed during the deployment process 
along with the order in which the tasks will 
be performed. The task sequence deter¬ 
mines which OS is deployed along with 
any applications, drivers, and packages to 
include. You create a new task sequence 
within the DW by right-clicking the Task 
Sequences node (or any subfolder you cre¬ 
ated within the Task Sequences node) and 
selecting New Task Sequence. Follow these 
steps in the New Task Sequence Wizard: 

1. On the General Settings page, sup¬ 
ply a Task sequence ID and Task sequence 
name. For example, my Task sequence ID 
is W7BM (for Windows 7 bare metal) and 
my Task sequence name is Windows 7 Bare 
Metal Installation. In the Comments field, 
enter information so you can remember—in 
six months—why you created the task 
sequence and what the end result should 
be, such as what applications, drivers, and 
packages should have deployed success¬ 
fully. Then click Next. 

2. From the Select Template page, 
choose Standard Client Task Sequence 
from the drop-down list, then click Next. 
Table 1 gives an explanation of all the 
built-in task sequence templates. 

3. Select the OS (Windows 7) that this 
task sequence will deploy on the Select OS 
page, then click Next. 
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Table 1: Template Choices in the New Task Sequence Wizard 

Task Sequence Template Name 

Description 

Sysprep and Capture 

Runs Sysprep and reboots into WinPE, then runs 

ImageX to capture an image of the machine. 

Standard Client Task Sequence 

Deploys a desktop OS, applications, drivers, and 
packages. 

Standard Client Replace Task 
Sequence 

Backs up the target machine, including gathering 
user's state information, before deploying an image. 

Custom Task Sequence 

Lets you create a task sequence from scratch. 

LiteTouch OEM Task Sequence 

Used by OEMs to deploy OS images to target machines 
en mass. 

Standard Server Task Sequence 

Deploys a server OS, applications, drivers, and 
packages to a target server, including roles such as 

DNS, AD, and DHCP. 

Post OS Installation Task 
Sequence 

Performs installation tasks after the OS is deployed to a 
target machine. 


4. On the Specify Product Key page, enter 
a product key if needed; you can choose to 
not specify a product key at this time, but 
then you'll be prompted during deployment 
to input it unless you're a volume license 
customer or you automate this step. (I cov¬ 
ered automating your deployment in "Create 
Windows 7 Media for Deployment," Instant- 
Doc ID 104644.) Click Next. 

5. On the OS Settings page, fill in the Full 
Name, Organization, and Internet Explorer 
(IE) Home Page fields, then click Next. 

6. On the Admin Password page, fill in 
the field for Administrator Password; what 
you enter becomes the local administra¬ 
tor password on your target machine. If 
you created a deployment share using the 
default selections (which I highly recom¬ 
mend), the Allow Admin Password page 
was set to not prompt for a local admin¬ 
istrator password during the deployment 
process. If you don't specify an admin¬ 
istrator password at this time, the new 
Windows 7 local administrator password 
will be blank when the deployment is 
complete. Input a password and confirm 
it, then click Next. 

The Summary page lets you review 
your choices. If everything looks good, 
click Next. When the Confirmation page 
appears, click Finish. 

Step 5: Customize Your WinPEs and 
Update the Deployment Share 

Updating your deployment share is when 
the gears of the MDT start to turn. When 
you update your deployment share, MDT 


creates two custom Windows Preinstallation 
Environments (WinPEs), among other 
things. But before you update the deploy¬ 
ment share, which can take a while, let's 
look at the settings and components you 
can tweak to control how those WinPEs are 
created and what they contain. 

You customize your MDT WinPEs in the 
DW in the properties of your deployment 
share. To edit the properties of your deploy¬ 
ment share, expand the Deployment Shares 
node, right-click your deployment share, 
and choose Properties. The deployment 
share's Properties dialog box has six tabs: 
General, Rules, Windows PE x86 Settings, 
Windows PE x86 Components, Windows 
PE x64 Settings, and Windows PE x64 Com¬ 
ponents. As Figure 3 shows, the General 
tab displays fields such as Description, 


Comments, Network (UNC) path, Local 
path, and Platforms Supported. All these 
fields are editable, but there are two I rec¬ 
ommend leaving alone: the Network (UNC) 
path and Local path of your deployment 
share. Editing either of these fields could 
break your deployment share. If you want 
to open a different deployment share, you 
can right-click the Deployment Shares node 
in the DW and choose Open Deployment 
Share, then navigate to the deployment 
share you want to open. 

By default, the General tab shows that 
both x86 and x64 platforms are supported. 
The platform you choose determines which 
WinPEs are created and which other tabs 
you'll configure. The settings you can tweak 
in your WinPEs are on the Windows PE x86 
Settings and Windows PE x64 Settings tabs. 
And the components you can add to your 
WinPEs are on the Windows PE x86 Com¬ 
ponents and Windows PE x64 Components 
tabs. The two Settings tabs are identical, as 
are the two Components tabs. Leaving both 
platforms selected on the General tab creates 
32-bit and 64-bit WinPE .wim and .iso files. 

Figure 4 shows the Windows PE x86 Set¬ 
tings tab, which lets you name the .iso file 
MDT creates when the deployment share 
is updated, choose a custom background 
(if you don't like the Solution Accelera¬ 
tors image), and set the scratch space size; 
scratch space is used as temporary storage 
space in RAM during the deployment. 

The Components tabs let you choose 
which drivers and packages are injected into 
your WinPEs. MDT components (drivers 



Figure 3:The General tab on the deployment share's Properties dialog box 


32 JULY 2010 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 























WINDOWS 7 INSTALLATION 



Figure 4: The Windows PE x86 Settings tab on the deployment share's Properties dialog box 


and packages) can be grouped together by 
something called selection profiles. The steps 
for creating a selection profile are covered in 
"Create Windows 7 Media for Deployment," 
InstantDoc ID 104644. In the Driver Injection 
box, choose your selection profile, or you can 
use the default selection profile, All Drivers 
and Packages. After choosing a selection 
profile, you can choose to include all drivers 
from the selection profile or only specific 
types of drivers. The four types of drivers are 
network, mass storage, video, and system- 
class. The one and only feature pack that 
can be added—and is selected by default—is 
ADO support for MDT's database feature. 
(MDT's database feature is outside the scope 
of this article; look for future articles that will 
cover this feature.) You can also add optional 


fonts to your WinPE—specifically, Chinese, 
lapanese, and Korean. 

The settings on the Rules tab determine 
the behavior of the deployment wizard, such 
as which pages are displayed during the 
deployment process and which aren't, and 
how the deployment wizard gets information 
if a given page isn't displayed. Table 2 shows 
your settings if you accepted the default set¬ 
tings when you created your deployment 
share. Also on the Rules tab, in the bottom 
right corner, is the Edit Bootstrap.ini button. 
Clicking this button shows the root of your 
deployment server, which is where your 
target clients will connect to deploy an OS. 

After you've selected your platforms and 
configured the settings and components, 
you'll need to update the deployment share 


to create the new MDT WinPEs. In the DW, 
expand the Deployment Shares node. Right- 
click your deployment share and select 
Update Deployment Share to launch the 
Update Deployment Share Wizard. Follow 
these steps in the wizard: 

1. On the Options page, choose Opti¬ 
mize the boot image updating process , then 
click Next. You could also have chosen 
Completely regenerate the boot images; 
the first time you update the deployment 
share, it doesn't matter which you select— 
they do the same thing. 

2. On the Summary page, review your 
selections and make any necessary changes, 
then click Next. Click Finish on the Confir¬ 
mation page to complete the wizard. 

After you've updated the deployment 
share for the first time, there will be new 
WinPEs created in the \DeploymentShare\ 
Boot folder. These WinPEs won't show up 
in the DW; use Windows Explorer to find 
them. On subsequent updates to your deploy¬ 
ment share within the DW, the options in the 
Update Deployment Share Wizard make a little 
more sense. Choose Optimize the boot image 
updating process when you want your exist¬ 
ing WinPEs modified. If you have a corrupt 
WinPE and want to create new ones, choose 
Completely regenerate the boot images. 

Step 6: Deploy the OS to the Client 

Now you're ready to deploy your first 
Windows 7 OS to a target machine. Make 
sure your target machine has networking 
functionality and access to the MDT deploy¬ 
ment share. Boot the target machine with 
one of the custom MDT-generated WinPEs 
(LiteTouchPE_x86.iso or LiteTouchPE_x64 
.iso), which you'll need to have burned 
to disk or stored on an external hard disk 


Table 2: Default Settings for Rules on the Deployment Share 

Setting 

Value 

Behavior 

Priority 

Default 

Defines that the [Default] section heading is where the deployment wizard should 
begin processing. You can add your own section headings if you choose. 

Properties 

MyCustomProperty 

Specifies additional properties that can be added to your Rules. 

OSInstall 

Y 

Performs an OS installation. 

SkipAppsOnllpgrade 

YES 

Skips displaying the application page during an upgrade. 

SkipCapture 

NO 

Asks if an image should be captured during deployment. 

SkipAdminPassword 

YES 

Skips the page that would let a user input the administrator password during 
deployment. 

SkipProductKey 

YES 

Skips prompting for a product key during deployment. 
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Installing Windows... 


That's all the information we need right now. Your computer will restart several times during 
installation. 
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Figure 5:The Installing Windows page and the Installation Progress bar during an installation 


or USB flash drive. Follow these steps in 
the Windows Deployment Wizard, which 
launches automatically: 

1. The Welcome Windows Deployment 
page has three options to choose from: Run 
the Deployment Wizard to install a new 
Operating System, Run the Windows Recov¬ 
ery Wizard, and Exit to Command Prompt. 
There's also the Configure with Static IP 
Address button. Before you dive in and 
start deploying, let's look at how the target 
machine receives an IP address. By default, 
the target machine is a DHCP client, so it 
should receive an IP address, subnet mask, 
and any configured options from a DHCP 
server. If a DHCP server isn't available, 
you need to assign static IP information by 
clicking the Configure with Static IP Address 
button. If you need to confirm the stati¬ 
cally configured IP information, press the 
F8 key to launch a command prompt and 
use ipconfig to review your settings; don't 
use Exit to Command Prompt because this 
option ends the deployment. Run the Win¬ 
dows Recovery Wizard launches a custom 
WinPE that searches for all files required 

to boot the target machine after an OS has 
been deployed; any missing or corrupt files 
are replaced. Select Run the Deployment 
Wizard to install a new Operating System to 
kick off the deployment process when you're 
deploying an image to a target machine. 

2. On the User Credentials page, supply 
a User Name, Password, and Domain for 
an account that has permissions to your 
deployment share, then click OK. 

3. The task sequence we created ear¬ 
lier, Windows 7 Bare Metal Installation, 
appears on the Select a task sequence to 
execute on this computer page. If your task 
sequence isn't listed, ensure you booted 
the correct platform of WinPE. A 32-bit 
WinPE displays only 32-bit task sequences, 
and a 64-bit WinPE shows only 64-bit task 
sequences. Choose your task sequence, 
then click Next. 

4. On the Configure the computer name 
page, enter a name for the target machine, 
then click Next. 

5. The loin the computer to a domain 
or workgroup page gives you the option to 
join the target machine to a workgroup or 
domain. Joining a domain requires domain 
credentials with permissions to join the new 
machine to the domain. For this example, 
I'm choosing to join a workgroup. Click Next. 
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6. The Specify whether to restore user 
data page lets you restore the user's data 
and settings—IE favorites, My Documents, 
and Outlook settings to name a few—from 
an existing machine if you've already 
gathered the user's data and settings and 
stored them on a server. To restore this 
information, choose Specify a location and 
enter the UNC path to where you stored it. 
After Windows 7 is installed, the user's set¬ 
tings and data will be copied to the target 
machine. I'm selecting Do not restore user 
data and settings. Click Next. 

7. On the Language and other prefer¬ 
ences page, select your language, time and 
currency format, and keyboard layout from 
the drop-down list, then click Next. 

8. Choose your time zone on the Set the 
Time Zone page, then click Next. 

9. If you've added applications to the 
DW, the next page will be the Select one or 
more applications to install page. From the 
list provided, select the applications you 
want to install. If you haven't added any 
applications to the DW, this page won't 
display. Click Next. 

10. The Specify whether to capture an 
image page lets you capture an image 
of the target machine after the deploy¬ 
ment successfully completes. The Prepare 
to capture the machine option copies 

the files needed to run Sysprep on the 
machine but doesn't run Sysprep or 
capture an image of the target machine. 
Choose the Do not capture an image of 
this computer option, then click Next. 

11. The Specify the BitLocker configura¬ 
tion page lets you enable BitLocker on 
the target machine and specify where the 


BitLocker encryption key will be stored. 
Accept the default, Do not enable BitLocker 
for this computer, then click Next. 

12. Finally, the Ready to begin page is 
displayed. Click Details to review your 
selections. If you need to make changes, 
click the blue back arrow in the bottom left 
corner to return to the appropriate page; if 
everything looks good, click Begin. You'll 
see the Installation Progress bar showing 
the stages of the installation. One note of 
caution: If the Installation Progress bar 
appears to freeze, move it aside to reveal 
any error messages. When errors occur 
during deployment, the message some¬ 
times gets hidden under the Installation 
Progress bar. As Figure 5 shows, the Install¬ 
ing Windows page appears under the 
Installation Progress bar to help you moni¬ 
tor the deployment process. 

No Muss, No Fuss 

I hope with these steps you'll be able to 
deploy Windows 7 complete with applica¬ 
tions, drivers, and packages—no muss, no 
fuss, and at no extra cost. (Well, no cost other 
than a little time.) As always, let me know 
if I can help with your deployments. If you 
have questions or comments, you can email 
Rhonda@DeploymentDr.com. ^ 

InstantDoc ID 125154 
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I n many ways, Microsoft Office is a force of nature. Installed on several hundred million PCs, 
it's a key component in most people's workday and it's responsible for billions in quarterly 
revenues for the software giant. But this very success works against Office as well. How can you 
convince customers to upgrade to the latest version when the previous several versions are 
already so good? 

For Microsoft, this is a very real problem. According to the company, 65 to 70 percent of all 
Office users worldwide are still using Office 2003, with most of the remainder on Office 2007. As always, 
a few diehards cling to even older versions. 

But at least Office has to compete only with itself, for now anyway. On the desktop, free and paid office 
productivity suites haven't provided any meaningful competition since the 1990s. Online competitors 
such as Google Docs make a lot of noise, thanks to the tech industry's fascination with cloud computing, 
but they haven't really chipped away at Office usage. 

Still, one of the big trends with Office 2010 is essentially a realization on Microsoft's part that the 
world is changing and that Office must change with it. So the traditional Office suites and applications 
now offer better integration with online storage services. This integration isn't just with the corporate- 
oriented SharePoint but also with the consumer-friendly SkyDrive. There are versions of four Office 
applications—Word, Excel, PowerPoint, and OneNote—that run in the cloud by means of the new 
Office Web Apps. Although they're not full-fledged replacements for their desktop-bound brethren, they 
practically ooze with potential. And the Office versions for mobile devices continue forward, not just for 
Windows Mobile and the upcoming Windows Phone, but also for select Nokia devices. 

Together, the Office 2010 suites for the desktop, Office Web Apps, and Office Mobile 2010 constitute 
Office 2010. 


A look at what's 
changed and 
what's new 

by Paul Thurrott 


Office 2010 Suites 

There's a lot that can be said about Office, but some interesting trends emerge when you look at the 
product suites and applications from a high level. With a few rare exceptions, this is a mature set of 
solutions, and some of them—Excel and Word, for example—actually date back 25 years. Thus, the 
core Office applications aren't really seeing any revolutionary changes this time around, but that's how 
it should be. 

What you do see across the board is the full "ribbonization" of Office 2010. In Office 2007, only some of 
the applications went through this process, in which the old-school menu and toolbar system is replaced 
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by a more efficient and productive UI called 
the ribbon. In Office 2010, every application, 
even Outlook, has been “ribbonized.” 

But Microsoft went much further and 
really made the ribbon truly useful in Office 
2010, which should silence the critics. Now, 
the ribbon is fully customizable, so if you 
want to remove or add some commands on 
the tabs or even remove or create your own 
tabs, you're in luck. 

Although the ribbon is now consis¬ 
tently applied in all the Office applications, 
Microsoft has made only a half-hearted 
effort in the Backstage view. New to Office 
2010, the Backstage view is an attempt 
to provide a single location for file and 
application management tasks. It's roughly 
analogous to the old File menu from pre¬ 
vious Office versions. (So much so that 
the ALT+F keyboard shortcut enables this 
feature.) Backstage view takes up the whole 
application window, replacing whatever 
you're working on. Although that might 
seem strange at first, it provides a nice 
amount of screen real estate for the task 
at hand, be it sharing, saving, printing, or 
another task. 

But the problem with the Backstage 
view is that some options use this entire 
application window area to do their 
thing while others, confusingly, still trig¬ 
ger old-school dialog boxes. When those 
dialog boxes appear, the Backstage view 
disappears. Microsoft confirmed to me 


that it had intended to make the Back- 
stage view consistent in all the Office 2010 
applications but ran out of time. So, as with 
the ribbon in Office 2007, the Backstage 
view is a good idea that's not completely 
implemented. 

Out of all the core Office applications, 
Outlook boasts the biggest changes. If 
you're an Office 2007 user wondering 
if Office 2010 is worth the upgrade, this 
could seal the deal. 

Quick Steps provides 
a visual way to 
construct what are 
basically multistep 
macros attached to 
icons in the ribbon. 

Outlook is now ribbonized, and it works 
pretty well in this configuration. But that's 
not the biggest change. The biggest changes 
are other features that will have you manag¬ 
ing your email more efficiently than before. 
Key among these features are the new con¬ 
versation management tools: 

• Conversation View, which aggregates 
messages from the same conversation 
into a single collapsible entry 


• Clean Up, which removes redundant 
email messages from a conversation 

• Ignore Conversation, which ignores 
conversations that have drifted off into 
unproductive territory 

My favorite new Outlook feature is 
Quick Steps, which provides a visual way 
to construct what are basically multistep 
macros attached to icons in the ribbon. 
So, if you want to perform some action 
on an email message, you can construct 
a simple Quick Steps action in no time, 
and organize your email as you see fit. For 
example, I used Quick Steps to create an 
Archive It action, as Figure 1 shows. When 
I click the Archive It icon in the ribbon, 
the selected message is marked as read 
and moved to a folder named _Archived 
Mail. 

As with Office 2007, Office 2010 is avail¬ 
able in a variety of ways. You can purchase 
boxed and electronic versions of the indi¬ 
vidual applications and various product 
suites. Microsoft also offers a new Product 
Key Card, which provides only a product 
key. It's designed for users who purchase 
new PCs with some version of Office 2010 
preinstalled but would like to electroni¬ 
cally upgrade to a higher-end version of the 
suite. 

For businesses, there are essentially four 
versions of the Office 2010 suite that should 
be of interest: 

• Office Home and Business 2010. This 
$280 retail version is targeted at home 
users and small businesses. It includes 
Excel, OneNote, Outlook, PowerPoint, 
and Word. 

• Office Standard 2010. This volume- 
license offering includes Excel, 
OneNote, Outlook, PowerPoint, 
Publisher, and Word. 

• Office Professional 2010. This $500 
retail version includes Access, 
Publisher, and all the applications in 
Office Home and Business 2010. 

• Office Professional Plus 2010. This 
volume-license version includes 
Communicator, InfoPath, SharePoint 
Workspace 2010, and all the 
applications in Office Professional 2010. 
This version is now the highest end 

of the Office 2010 suite. (Office 2007 
included an Ultimate edition that's no 
longer offered.) 
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Figure 1: Using Outlook 2010’s new Quick Steps feature 
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Note that Microsoft provides both 32-bit 
and 64-bit versions of the Office 2010 
suites. The retail versions feature an option 
to choose one or the other during instal¬ 
lation. Unless you're an Excel guru with a 
need for spreadsheets larger than 2GB, I 
recommend skipping the 64-bit versions 
because of incompatibilities with existing 
Office add-ons. 

Office Web Apps 

When you initially look at a solution like 
Google Docs, you immediately see the 
appeal: It's a light, fast office productiv¬ 
ity suite that lives on the web, not your 
PC, so it doesn't need to be manually 
updated every month as new security 
updates roll out. 

Then, you actually spend some time with 
the solution, and the limitations become 
apparent. Aside from some interesting col¬ 
laboration features, Google Docs is func¬ 
tionally similar to the version of Office that 
Microsoft shipped in 1995. (And I'm being 
kind here.) 


Finally, it hits you. The perfect online 
office suite would look and work just like 
Office, except that it would live on the 
web like Google Docs. That's the promise 
of Office Web Apps, a new member of the 
Office family. While it would've been far 
more interesting if Microsoft had deliv¬ 
ered on this promise, the reality is that 
Microsoft has a market to protect. So, 
instead of being full-featured alternatives 
to the traditional Office applications, 
Office Web Apps—which consist of web- 
based versions of Word, Excel, Power¬ 
Point, and OneNote—are positioned 
as accessories or companions. That is, 
they're not quite the real deal. The miss¬ 
ing features and the performance issues 
inherent with using such heavy software 
in the cloud make this first Office Web 
Apps release a bit less interesting than it 
could have been. 

To illustrate the problem, all you need 
to do is compare the Word 2010 applica¬ 
tion with its web-based counterpart, Word 
Web App. The differences are striking. Both 


feature the standard ribbon UI, but as 
Figure 2 shows, the Word Web App has 
just three tabs compared to the default 
seven tabs in Word 2010. (In Figure 2, 
"File" is akin to the Microsoft Office but¬ 
ton and therefore not considered a tab.) 
Because the Review tab is gone, there are 
no reviewing tools at all. And the existing 
tabs are missing key features. For example, 
on the Home tab, you lose out on editing 
features such as Format Painter and the 
ability to add text effects, add shading, and 
edit styles. 

Similarly, the other Office Web Apps 
are missing features, rendering them use¬ 
less for real work. What they're designed 
for is light editing only and for those 
rare times when you want to work on a 
document interactively with another per¬ 
son. The Office Web Apps do a great job 
of retaining formatting—what Microsoft 
calls document fidelity—so that even if 
you need to edit a complex document, you 
don't need to worry about undoing any 
previous work. 


0 Winlnfo.docx - Microsoft Word Web App - Windows Internet Explorer 
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Microsoft Revs Up Patent Claim Engine Against Google Android 

Continuing its legal battle with those companies that make, support, and implement Linux, Microsoft this week reached a patent agreement with device 
maker HTC over its use of Microsoft technologies in Google Android-based smart phones. Android, of course, is built on Linux, and as with desktop and 
server versions of that OS, Microsoft claims that the system utilizes intellectual property owned by the software giant. 

”HTC and Microsoft have a long history of technical and commercial collaboration, and today's agreement is an example of how industry leaders can reach 
commercial arrangements that address intellectual property," said Microsoft corporate vice president and deputy general counsel Htoracio Gutierrez. "We 
are pleased to continue our collaboration with HTC." 

Microsoft has been pursuing Linux vendors for years and has secured numerous patent licensing agreements, protecting those companies and their 
customers from potentially devastating lawsuits. But this marks the first time that Microsoft has gone after an Android phone maker. HTC, of course, also 
makes phones based on Microsoft's Windows Mobile system, and its HD2 handset is currently regarded as the apex of Windows Mobile development. 

And HTC isn't the only company Microsoft has talked to recently. "We have been talking with several device manufacturers to address our concerns relative 
to the Android mobile platform," Gutierrez said. "Competitors do not get a free ride on our innovations." 

The terms of the deal are unknown, but Microsoft says that it will be receiving royalties from HTC, apparently based on sales of its Android-based phones. 
These phones include the Nexus One, which is sold directly by Google to customers from its web site. 

In recent days, Google has noted that the open nature of its development process was a strength that would allow it, overtime, to eclipse closed phone 
makers like Apple and RIM. But this openness also allows Microsoft and other companies to examine the source code for its solutions. And in the case of 
Android, it's pretty clear that Microsoft found some infringing technologies, as it had in the past with desktop and server versions of Linux. 
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Figure 2: Editing documents in Word Web App 
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Figure 3: Sorting messages by conversation in 
Outlook Mobile 2010 

The Office Web Apps are available 
through Microsoft's free consumer-oriented 
Windows Live SkyDrive service or through 
a SharePoint 2010 site (including Share- 
Point Foundation 2010) hosted internally 
or accessed as a hosted service from Micro¬ 
soft Online. Businesses that purchase a 
volume license version of Office 2010 get a 
free license for Office Web Apps. 

Office Mobile 2010 

Like Office Web Apps, Office Mobile 2010 
is designed as a companion to the tradi¬ 
tional desktop applications. It consists of 
Outlook (Email, Calendar, and Contacts), 
Word, Excel, PowerPoint, and OneNote 
for Windows Mobile or Windows Phone 
smartphones. There's also a version for 
certain Nokia smartphones. 

Office Mobile 2010 has a number of 
interesting changes, some of which are 
related to new mobile form factors. Other 
changes are related to capabilities associ¬ 
ated with the PC-based Office suite. 

In response to the commonly used 
multitouch mobile devices, Office Mobile 
2010 includes improved gesture and touch 
support. This lets you more easily navigate 
through menus and select items in the UI. 

Office Mobile 2010 integrates with 
SharePoint Server 2010 and Information 
Rights Management (IRM), allowing you to 
work with corporate documents securely in 
both online and offline situations. You can 
also work directly with server-based docu¬ 
ments, which is a first. Like its predecessor, 


Office Mobile 2010 does a reasonable job 
of rendering complex Word, Excel, and 
PowerPoint documents, while retaining the 
underlying formatting. So, if you edit a docu¬ 
ment on the phone and access it later on the 
desktop, the formatting will be retained. 

PowerPoint jockeys might appreciate 
some new functionality that lets you use 
your Windows Mobile smartphone as a 
remote control for your PC-based presenta¬ 
tions. Aside from the expected navigational 
controls, it can optionally display your pre¬ 
sentation notes on the device screen. 

As with the desktop suite, the mobile 
suite's biggest changes lie in the email 
application. Outlook Mobile 2010 sup¬ 
ports the Conversation View feature (see 
Figure 3) when used in tandem with Micro¬ 
soft Exchange Server 2010, providing users 
with a handy way to manage overpopulated 
email threads. And smart filtering provides 
on-the-fly search results as you type. 

Your decision about 
whether to upgrade 
could be largely 
driven by which 
Office solutions 
you're already using. 


Ultimately, the problems with Office 
Mobile are the same as ever: The smart¬ 
phones' small form factors aren't ideal for 
reading (let alone editing) documents, and 
text entry is painful, regardless of the pres¬ 
ence of a hardware keyboard. OutlookMobile 
is a fine choice for Exchange-based workers, 
but it still falls short of the elegant iPhone 
Mail interface. SharePoint customers should 
investigate this solution, however. The ability 
to access SharePoint-hosted documents on 
the go could be a huge advantage. 

Should You Upgrade? 

Office 2010 is a large and complex set of 
products, and your decision about whether 
to upgrade could be driven in large part by 
which Office solutions are already in your 
environment. If you're running the Office 
2003 (or earlier) desktop-based applica¬ 
tions, I recommend that you upgrade 


immediately. The productivity benefits of 
moving to a ribbon-based UI are undeni¬ 
able, and now that the ribbon is fully cus¬ 
tomizable and available across the entire 
product line, there's little reason to hold 
off. If you're running Office 2007, you 
face a more difficult decision. If you rely 
heavily on Outlook, you should consider 
upgrading solely for the many improve¬ 
ments in that one application. 

If you were hoping to save some money 
on Office licenses by having your least 
demanding users utilize the free Office 
Web Apps instead of locally installed appli¬ 
cations, I strongly recommend testing that 
solution first. I suspect few users will find 
the Office Web Apps adequate. Although 
performance is an issue, my biggest qualm 
is that Microsoft appears to have artificially 
hobbled the functionality of the Office 
Web Apps, presumably to prevent too 
many defections to a free product. A better 
solution would have been a more capable 
Office Web Apps at rock-bottom pricing, 
but given Microsoft's conservative cloud 
moves, that won't likely happen until the 
next Office revision. 

Office Mobile 2010 is what it is: A handy 
companion for those times when you're stuck 
in a cab or plane without a laptop and really 
need to view and possibly minimally edit an 
important presentation or other document. 
But I have a hard time imagining anyone 
purchasing a Windows Mobile smartphone 
to use Outlook Mobile. There are far better 
mobile email solutions out there. 

Where Office 2010 really shines is when 
you integrate these many pieces together, 
preferably with a SharePoint 2010 document 
repository backend. Combining an Office 2010 
suite and SharePoint when you're in the office 
with Office Web Apps and Office Mobile when 
you're on the go is hard to beat at any price. 
Sure, Google may offer free and inexpensive 
office productivity solutions, but in this case 
you really do get what you pay for. ^ 
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uch has been written about Windows Server 2008 ; s new directory services features, 
including the read-only domain controller (RODC), fine-grained password policies 
(FGPPs), and enhanced auditing. Sometimes the biggest improvements in a new OS 
come from what might seem like small changes. Although every Active Directory 
(AD) installation shares common needs (e.g., security, administration, backups), 
these needs are addressed in almost as many ways as there are AD installations. 

The Server 2008 improvements to Ntdsutil, the command-line utility administrators use to perform 
AD maintenance, haven't received as much press but might be as valuable to you as better-advertised 
features. Server 2008 has six new Ntdsutil features, of varying significance: Snapshot, Activate Instance, 
DS Behavior, Local Roles, Partition Management, and Install from Media (IFM). Read on for more infor¬ 
mation about each feature and to learn whether they will benefit your organization. 


New features 
for managing 
Active Directory 

by Sean Deuby 


Snaphot 

The Snapshot feature (aka Active Directory Database Mounting Tool) is an Ntdsutil command that takes 
a snapshot in time of your AD database, including all objects and attributes. You can use snapshots with 
tombstone reanimation to quickly restore deleted AD objects and their attributes. Historically, if an impor¬ 
tant AD object such as an organizational unit (OU) were accidentally deleted, the AD administrator would 
have to perform an authoritative restore. This process involves taking a production domain controller 
(DC) offline, mounting a tape or disk-based backup, performing a nonauthoritative restore from backup, 
using NtdsutiFs authoritative restore command to select the object(s) being restored, and rebooting the 
DC. You might also need to restore group memberships. The whole process is very time consuming. 

Tombstone reanimation, first introduced inWindows Server 2003 (and discussed in 'AD Tombstone 
Objects," InstantDoc ID 41576), provides a way to return a deleted object from the DeletedObjects con¬ 
tainer to its original location. Most attribute values are stripped from the deleted object (or "tombstone"), 
however, so the restore isn't really useful until these attributes are repopulated. For example, if a user is 
deleted and subsequently reanimated, the MemberOf and password attributes will be empty. 

Systems administrators and various vendors have come up with several methods for retaining this 
data and mapping it to the deleted object to speed up the restore process. If the object in question is a user 
object, the password is also stripped on deletion, which can be an operational headache if you need to 
restore many user obj ects and generate all new passwords. You can use bit 3 (0x00000008) of the attribute- 
Schema object's SearchFlags attribute to modify which attributes remain stored in the tombstone object, 
including the password. (For more information about reanimating tombstone objects, see the TechNet 
article "Reanimating Active Directory Tombstone Objects" at www.microsoft.com/technet/technetmag/ 
issues/2007/09/Tombstones/default.aspx.) Because a snapshot contains all objects and attributes of the 
directory at the time the snapshot was taken, if you have a snapshot of the directory before the object was 
deleted you can review and extract all its attributes, then apply them to the reanimated object. Taking a 
snapshot requires you to be a member of the Enterprise Admins or Domain Admins group. 

Suppose an administrator accidentally deletes the CEO's user object. Because you modified SearchFlags 
beforehand to retain a deleted object's password, you can use a free tombstone reanimation program such 
as SDM Software's AD Tombstone Reanimation Cmdlets (www.sdmsoftware.com/freeware) to return 
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the deleted object to its original location. 
Then you need to mount the appropriate 
snapshot, by following the directions in the 
TechNet article “Active Directory Domain 
Services Database Mounting Tool (Snapshot 
Viewer or Snapshot Browser) Step-by-Step 
Guide" at technetmicrosoft.com/en-us/ 
library/cc753609.aspx, extract the object's 
important attributes with a utility such as Joe- 
ware's AdFind (www.joeware.net/freetools/ 
tools/adfind/index.htm), apply them to 
the restored object with Joeware's AdMod 
(www.joeware.net/freetools/tools/admod), 
and voila! You've just restored an acciden¬ 
tally deleted object without resorting to an 
authoritative restore. This process can be 
automated, of course. For a PowerShell script 
that performs this task, see Darren Mar- 
Elia's blog “PowerShell Script to leverage AD 
Tombstone cmdlets," which contains a link 
to Guido Grillenmeier's script (sdmsoftware 
.com/blog/2008/06/10/powershell-script-to- 
leverage-ad-tombstone-cmdlets). 

Taking a snapshot is a simple procedure. 
Open a command prompt with administra¬ 
tive rights on a DC, then start Ntdsutil. Enter 

activate instance ntds 

to select the directory instance you want to 
take the snapshot of. Enter 

create 

to take a snapshot, as Figure 1 shows. 

DS Behavior 

DS Behavior lets you control an extra layer 
of security in Server 2008. By default, Server 
2008 Active Directory Domain Services (AD 
DS) doesn't allow password operations over 
an unsecured connection. With DS Behav¬ 
ior, you can use the command 

allow passwd op on unsecured connection 

to circumvent this limitation. Note that even 
though this option is available, you'd typi¬ 
cally want to retain the secure default. 

Local Roles 

The Local Roles feature is used to define 
group membership locally on RODCs. 
RODCs can provide true administrative role 
separation by giving users some degree of 
elevated rights (e.g., Administrators, Server 


Operators) on an RODC but not anywhere 
else in the domain. For example, to add 
JaneBranchOfficeAdmin to an RODC's local 
Administrators group, launch Ntdsutil from 
a command prompt on the RODC. Enter 

local roles 

From the local roles menu, enter 

add JaneBranchOfficeAdmin Administrators 

to add Jane to the local Administrators role. 

Partition Management 

Partition Management lets you create, list, 
remove, and set replication notification 
delay for application partitions in an AD 
domain or forest. (Application partitions are 
also referred to as NDNCs, or non-domain 
naming contexts.) You can also list the DCs 
that are replicas supporting an application 
partition. Finally, you can use Partition Man¬ 
agement to manage partitions in AD LDS. 

Install from Media 

IFM is an advanced option of the DCPROMO 
DC creation wizard. (Although the terms 
IFM and Install From Media don't appear 
anywhere in the wizard.) IFM lets admin¬ 
istrators promote a new DC into a domain 
by using a system state backup to load the 
necessary directory partitions into the DC's 
database rather than over the network. If 
you have a large database, this approach 
can save a lot of time compared with a tra¬ 
ditional over-the-wire promotion. (For more 
information about using IFM to promote 
DCs, see the Microsoft article “How to use 
the Install from Media feature to promote 
Windows 2003-based domain controllers" 
at support.microsoft.com/kb/3JJ078.) 

The IFM feature has been around since 
Windows 2003 but wasn't part of Ntdsutil 
until Server 2008. Microsoft added IFM to 
Ntdsutil to provide Windows Server Backup, 


which replaces the venerable NTBackup 
utility that has been around since Win¬ 
dows NT 3.5. However, Windows Server 
Backup has a different functionality set than 
NTBackup; if you performed disk-based 
system state backups of your DCs with 
NTBackup, you'll find that Windows Server 
Backup takes longer and uses more space. 
(Server 2008 system state backup also backs 
up system files that are under Windows File 
Protection—WFP—in addition to backing up 
the AD database and SYSVOL.) 

The change in functionality to Windows 
Server Backup and the additional needs 
of the RODC prompted the Directory Ser¬ 
vices team to add the ability to back up just 
enough of a DC (the database itself and two 
registry hives) to promote a new Server 2008 
DC from media rather than over the net¬ 
work. IFM does just that. In addition, IFM is 
simpler and faster than the Windows 2003 
method because you don't need to perform 
a backup and then restore from that backup 
to obtain the necessary files. I've person¬ 
ally witnessed an incredible reduction in 
DCPROMO time from J9 hours (replication 
over the network) to JO minutes (IFM). 

IFM has four options: create full backup 
name, create SYSVOL full backup name, 
create RODC backup name, and create 
SYSVOL RODC backup name. Logically split 
into two pairs, these commands perform 
two functions. The “full" options create 
installable media to promote a full DC, 
and the “RODC" options create media for 
RODCs. The difference is that for security 
reasons the RODC options mark the AD 
database as read-only, and they clear the 
password attributes. Letting an IFM media 
set fall into the wrong hands is as much of 
a security risk as letting an entire DC do so. 
The RODC option makes the IFM media set 
as safe as an RODC itself. If you include the 
SYSVOL option, the contents of the SYSVOL 
shared folder are also added to the set. This 
method creates a larger set of files to be 



Figure 1:Taking a snapshot 
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moved to the DC-to-be, but SYSVOL won't 
need to replicate over the network. 

IFM is easily scripted; you can stack up 
Ntdsutil commands on a command line or 
in a script. The following example creates 
a full IFM backup, without SYSVOL, into a 
folder named backup: 

ntdsutil "active instance ntds" ifm 
"create full backup" quit quit 

Figure 2 shows the output. Substituting a 
date variable for "test" is a simple task. 

Using IFM to create new DCs is handy, 
but its real usefulness is in quickly restoring 
DCs after an operational failure. The most 
common operational failure mode is OS- 
related, not AD-related. In such a case, both 
the OS and the AD database must be recov¬ 
ered. Server 2008 provides three methods 
for recovering the OS and AD database. The 
traditional method is to restore the system 
from tape. Although Server 2008 doesn't 
support this method natively, you can use a 
third-party product. You can also use Win¬ 
dows Server Backup to perform a recovery 
through Windows Complete PC Backup. 
(Because the OS has failed, a system state 
restore won't work.) Finally, you can skip 
the recovery process and just rebuild and 
repromote the DC. 

The most important task in case of a 
failed DC is to get the DC back up as soon as 
possible. (A secondary goal is to determine 
the cause of the failure.) When restoration 
time is crucial, the restore from tape backup 
method takes too long: You must reinstall the 
OS, install the backup software, restore the 
system, and reboot. Restoring from Windows 
Complete PC Backup is much faster: You 
simply boot from the Server 2008 installation 
CD-ROM, select Repair my computer, and 
recover every volume that contains critical 
system data. This process can be time con¬ 
suming, however, ifyour AD database and log 
files are spread across partitions. In addition, 
the backup set must be available on a local 
partition or a USB hard drive. If the set is on 
a local partition, the partition must be dedi¬ 
cated to Windows Server Backup because it 
will reformat and use the partition entirely. 
Although some planning and repartition¬ 
ing is necessary as you upgrade your DCs 
to Server 2008, the process should be easy 
because hard disk sizes have grown beyond 
any DC's possible disk requirements. 



Figure 2: Creating a full IFM backup 


I recommend a third approach: Skip the 
restore process, and simply wipe and reinstall 
the OS on the server, then repromote it to DC 
status using the IFM method. This is the fast¬ 
est way to get a seriously broken DC back up. 
The process involves the following steps: 

1. Perform regular IFM backups of 
your DC's local database and direct them 
toward a partition that doesn't contain 
critical system data. 

2. Have an unattended build CD-ROM 
available at the DC's data center. (For 
information about unattended setup on 
Windows 2003 and Server 2008, see the 
TechNet articles "How Unattended Instal¬ 
lation Works" at technet.microsoft.com/ 
en-us/library/cc786944(WS.10).aspx and 
"Lite-Touch, High Volume Deployment" 
at technet.microsoft.com/en-us/library/ 
dd919179(WS.10).aspx.) 

3. The DC should be dedicated in its role 
(with the exception of AD-integrated DNS). 

4. If your DC's OS fails or has any prob¬ 
lem that takes more than 15 minutes to fix: 

a. Have operations insert the CD-ROM 
and perform an unattended (re)installation 
of the OS. This step should take anywhere 
from 15 to 30 minutes. 

b. While the reinstall is underway, the 
DC administrator on call should perform 
a metadata cleanup of the DC in AD. 

The metadata cleanup process removes 
AD data about the failed DC that's used 
in replication. When a DC is demoted 
normally, this information is removed as 
part of the demotion process. A failed DC, 
however, doesn't go through the normal 


demotion process, so this information 
must be removed manually. In Windows 
2003, you use Ntdsutil to perform the 
metadata cleanup, as discussed in the 
TechNet article "Clean up server metadata" 
attechnet.microsoft.com/en-us/library/ 
cc736378(WS.10).aspx. The procedure 
is simplified in Server 2008 and Server 
2008 R2; the TechNet article "Clean Up 
Server Data (Windows Server 2008)" at 
technet.microsoft.com/en-us/library/ 
cc816907%28WS.10%29.aspx explains the 
process using Active Directory Users and 
Computers and Active Directory Sites and 
Services. 

c. When the reinstall and reconfiguration 
is complete, perform an IFM promotion 
of the DC, pointing to the IFM backups on 
the backup partition. The entire operation 
should take no more than 15 minutes. 

New Recovery Capabilities 

Ntdsutil has several new features in Server 
2008. Pay attention to them, and consider not 
only the functions they perform but also the 
new recovery capabilities they provide the 
groundwork for. Even small improvements 
in AD can provide large benefits. ^ 
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S earching the content of user mailboxes has always been pretty tricky for Microsoft Exchange 
Server administrators. Naturally, companies are always cautious when accessing data in 
users' mailboxes because of potential legal problems, such as privacy issues, that can arise. 
Furthermore, until the release of Microsoft Exchange Server 2010, Exchange hasn't had a 
friendly tool to perform search across multiple mailboxes in an organization. Exchange 
2010 brings new functionality, called Multi-Mailbox Search (aka discovery search), that 
lets administrators and other authorized personnel use a new graphical console to perform keyword- 
based searches on one or more mailboxes in an Exchange organization. In this article, I'll discuss the 
technology that lies underneath this feature and explain the steps you need to follow to perform this 
type of search. 

If a company wanted to access data inside a user's mailbox in previous Exchange versions, the only 
way to do it was to grant full access rights on the mailbox object to the administrator who would access 
that data. Alternatively, it was possible to export the whole user mailbox and open it on another com¬ 
puter. However, this approach still provided administrators with access to data only in a single user's 
mailbox. Exchange 2007 added the ability to perform multi-mailbox searches with Windows Power- 
Shell's Export-Mailbox cmdlet, but without a graphical interface. Also, every Exchange administrator 
was able to perform this search, which could pose a security risk. 

Multi-Mailbox Search in Exchange 2010 lets administrators search users' mailbox data without 
requiring them to have full access rights on the mailbox objects and with the ability to search multiple 
mailboxes at the same time—either from the GUI or the command line. 


New console 
makes e-discovery 
and other searches 
a snap 

by Damir 
Dizdarevic 


Multi-Mailbox Search Scenarios 

Many companies don't consider data in user mailboxes as something private. Typically, employees 
are warned that authorized persons can and will access their data and read some or all of their email 
correspondence if appropriate circumstances warrant it. For example, if a company suspects that users 
are sending confidential data outside the company through email, correspondence can be watched 
by using a variety of approaches. Also, mailbox searches are commonly a very important part of legal 
requirements. For example, you might have a legal requirement to have all email correspondence of a 
specific type available for a request, or you might receive a court order to track email correspondence 
for specific users. 

To track messages, you can use transport rules on the Exchange server by defining patterns of text 
that appear in email messages and could represent confidential data. Or you could implement journal¬ 
ing, where you archive all messages from a specific user in a separate mailbox. With Exchange 2010, you 
can search for specific criteria by performing a keyword-based Multi-Mailbox Search across mailboxes 
in the organization. 

For legal requirements, discovery search can be used in one more scenario: legal holds. In Exchange 
2010, it's possible to activate the legal hold option on specific user mailboxes, which means that from 
that moment, all messages that are in that mailbox or pass through it will be retained—even if the user 
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deletes a message and empties the Deleted 
Items folder. You can access all these 
retained items when you perform a Multi- 
Mailbox Search. 

Technologies Behind Multi-Mailbox 
Search 

Although it might look simple at first, sev¬ 
eral technologies are involved in Multi- 
Mailbox Search functionality. To perform 
search across multiple mailboxes, Multi- 
Mailbox Search uses the content indexes 
created by Exchange Search. This service is 
enhanced with new capabilities to provide 
the extensive search functionality required 
by Multi-Mailbox Search. Also, having a 
single content indexing engine ensures that 
no additional resources are utilized when 
discovery requests are performed. 

Exchange Control Panel (ECP) is the 
administrative interface you use to perform 
Multi-Mailbox Search. ECP is a new web- 
based console, for both administrators and 
end users, that provides an easy-to-use 
search interface for both technical and non¬ 
technical personnel, such as legal and com¬ 
pliance officers, records managers, and HR 
professionals. Because ECP is web-based, 
it's available from practically anywhere, and 
it's easy to use because it doesn't require 
any type of Microsoft Management Console 
(MMC) snap-in console. Moreover, ECP 
works much like Outlook Web Access— 
which, in Exchange 2010, is renamed Out¬ 
look Web App (OWA)—so no extensive user 
training is required. 

From a security perspective, Exchange 
2010 offers Role Based Access Control 
(RBAC), a new method for delegation of 
various permissions in Exchange. RBAC 
includes the Discovery Management role 
group to delegate discovery tasks to autho¬ 
rized users without the need to provide ele¬ 
vated privileges, such as full mailbox access 
or privileges that could allow a user to make 
any operational changes to Exchange con¬ 
figuration. The Discovery Management role 
group has no members by default—not even 
Exchange administrators are included. 

All search results are stored in a special 
mailbox called Discovery Search Mailbox; 
it's not possible to store results in any other 
mailbox, such as a user's mailbox. The 
Discovery Search Mailbox is created during 
Exchange installation and can't be used 
for standard purposes such as sending and 


receiving email because delivery restrictions 
are applied to it. The user account associ¬ 
ated with the Discovery Search Mailbox 
is disabled so no one can log on to this 
mailbox without being explicitly granted 
rights to do so. The Discovery Management 
group has full access rights to the Discovery 
Search Mailbox. You can control and audit 
membership in the Discovery Management 
role group by using Group Policy's restricted 
group policy setting. 

Because the Discovery Search Mailbox 
should be able to store a large amount of 
data, it's assigned a 50GB storage quota 
on creation. If you have multiple teams or 
individuals that perform discovery searches 
and you don't want them to see results from 
other searches, you'll need to create addi¬ 
tional Discovery Search Mailboxes, which 
you can do through Exchange Management 
Shell (EMS)—I'll describe that procedure 
later. 

Permissions for Multi-Mailbox 
Search 

Unlike other technologies, such as trans¬ 
port rules and journaling, which you have 
to enable and configure before you can use 
them, you can perform a discovery search 
at any time, without first enabling the 
feature on an organizational level. How¬ 
ever, several steps should be performed to 
allow an investigator to perform discovery 
searches. 

First, you should have a valid reason to 
perform a search, as well as appropriate 
procedures and policies, developed in coop¬ 
eration with your legal team, that define and 
support this type of activity. Although these 
considerations aren't a technical part of the 
story, it's important to keep them in mind. 
If you don't, you risk potential lawsuits and 
even the possibility of losing your job. 

After you've handled the legal issues, you 
have to assign appropriate rights to yourself 
or to someone else who will perform the 
discovery search. You have two options for 
assigning the rights. You can you use the 
MMC Active Directory Users and Comput¬ 
ers snap-in to add a user account to the 
Discovery Management role group. This 
process actually adds the user to the Discov¬ 
ery Management RBAC role group. The role 
group consists of two management roles: 
the Mailbox Search role, which lets a user 
perform a discovery search; and the Legal 


Hold role, which lets a user place a mailbox 
on legal hold. 

Your second option for assigning the 
rights is to use EMS by executing the 
following command: 

Add-RoleGroupMember 

-Identity "Discovery Management" 
-Member Damir 

If you want to check which users have per¬ 
mission to perform a discovery search, you 
can execute the following command: 

Get-RoleGroupMember 
"Discovery Management" 

When you add a user to the Discovery Man¬ 
agement role group, the user also gets full 
access rights for the Discovery Search Mail¬ 
box. Remember, this mailbox is the default 
for storing search results, but you can also 
create additional mailboxes of this type. To 
do so, you use EMS and the New-Mailbox 
cmdlet. For example, 

New-Mailbox -Name "Mailbox Discovery" 
-UserPrincipal Name 

"Mai 1boxDiscovery@logosoft.ba" 
-Discovery 

creates an additional Discovery Search Mail¬ 
box. The -discovery switch used in this 
cmdlet is responsible for dedicating this as 
a Discovery Search Mailbox, and you can 
use the -name switch so you can enter a 
different name for this mailbox. 

If you aren't sure whether additional Dis¬ 
covery Search Mailboxes have been created 
in your organization, you can easily check 
that with the following command: 

Get-Mailbox -Filter 
{ RecipientTypeDetails 
-eq "DiscoveryMailbox" } 

Perform a Multi-Mailbox Search 

Now that you have users who can perform 
a discovery search, you're ready to actually 
perform a search. First, you have to con¬ 
nect to ECP, which you can do by going 
to https: //yourexchangeserver/ecp in your 
browser, and entering your username and 
password on the authentication page. In the 
ECP interface, click Reporting, and you'll 
be presented with the Mailbox Searches 
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There are no items to show in this view. 


Figure 1:The Mailbox Searches interface in ECP 


interface, which Figure 1 shows. This page 
won't be available to users who don't have 
appropriate rights. 

To create a new search, click New, 
and the New Mailbox Search window 
opens, as Figure 2 shows. The first field 
is Keywords, which is where you enter 
keywords, phrases, or patterns defined 
with wildcards that you want to search 
for. For this example, we'll search for the 
word password. If you want to search for 
multiple words, you can use AND in all 
caps between words, or just type com¬ 
mas. If you want to search for any of the 
words you enter, you need to use OR 
(also all caps) between words. You can 
also use NOT between words to exclude 
the second one, use an asterisk (*) as a 
wildcard after a word, and use double 
quotation marks around words to search 
for an exact phrase. Thanks to new fea¬ 
tures implemented in Exchange Search, 
you can also use Advanced Query Syntax 
(AQS) to define keywords. Using AQS, 
you can quickly define and narrow your 
searches for even more targeted results. 
This query syntax is used by Windows 
Search and Instant Search in Microsoft 
Outlook 2007 and later. You can learn 
more about using AQS from the Microsoft 
article "Using Advanced Query Syntax 
Programmatically" (msdn.microsoft.com/ 
en-us/library/bb266512.aspx). 

If you suspect items in a user's mailbox 
are protected or encrypted, you can select 
the check box for Include items that can't 
be searched. If you enable this option, your 
search results will include not just mes¬ 
sages that have the desired keywords, but 
also items that can't be searched by default, 
such as encrypted or Information Rights 


Management (IRM)-protected messages, or 
messages with attachments in an unknown 
format. This ability is achieved by using 
IRM decryption for the Exchange Search 
feature. When a Multi-Mailbox Search is 
used to perform a discovery search, IRM- 
protected messages that have been indexed 
are returned in search results. To enable this 
decryption feature, Exchange servers must 
have access to the message, which is done 
by adding the Federated Delivery mailbox, a 
system mailbox created by Exchange Setup, 
to the super users group on the Active Direc¬ 
tory Rights Management Services (AD RMS) 
server. For more information about this pro¬ 
cess, see the Microsoft article "Add a Feder¬ 
ated Delivery Mailbox 
to the AD RMS Super 
Users Group" (technet 
.microsoft.com/en-us/ 
library/ee424431.aspx). 

To enable search on 
IRM-protected content 
on the Exchange side, 
run this command: 

Set-IRMConfi gu rati on 
-SearchEnabled 
STrue 


Below the Key¬ 
words field is the very 
useful Select message 
types button. Clicking 
this button lets you 
select the type of items 
you want to search, as 
Figure 3 shows. You 
can choose to search, 
for example, only 
email messages and 


calendar items, but not tasks, notes, and so 
forth. Or you can select to search all types of 
items in the mailbox. 

The next section on the New Mailbox 
Search window, Messages To and From 
Specific E-mail Addresses, lets you narrow 
your search to specific senders or specific 
recipients, if known. Note that this isn't 
where you specify the mailbox that you want 
to perform the search on, but just an option 
to perform a more precise search. If you 
don't know any specific sender or recipi¬ 
ent, you can specify just a domain name. 
For example, by entering @logosoft.ba in 
the From field, you'll search for messages 
that came from any user on the logosoft.ba 
domain. The To field works the same way. 

The Date Range section lets you specify a 
date range for messages you want to search. 
If you don't know a specific date range, you 
can search without limiting by date. How¬ 
ever, if you don't specify a date range, your 
search will be significantly slower. 

The next section is Mailboxes to Search. 
In this section, you select the specific mail¬ 
box or mailboxes that you want to search. 
By clicking Add, you can add one or more 
mailboxes from your organization, or you 
can select the Search all mailboxes option 
to perform a search across all mailboxes in 
your organization. Searching all mailboxes 



Figure 2: Creating a mailbox search in the New Mailbox Search window 
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Figure 3: Selecting the types of messages to search 


can take a long time, especially if you have 
a lot of mailboxes and you didn't specify a 
date range for the search. Note that if you're 
searching a mailbox that has a Personal 
Archive mailbox enabled, the search also 
includes this archive. 

The last section is Search Name and Stor¬ 
age Location. You can enter anything in the 
Search name field (I used "password shar¬ 
ing" as a name in this example). Then, click 
Browse, and you'll see all available Discovery 
Search Mailboxes in your organization; if you 
didn't create additional mailboxes, there will 
be only one available. In this same section, 
you can also select to be notified by email 
when the search is done, and you can select 
the full-logging option. Full logging includes 
detailed information about all messages 
returned by the search in a comma-separated 
value (CSV) file attached to the email message 
that contains the basic information. 


When you click 
Save, your search starts. 
Unless your search is 
targeted on a large num¬ 
ber of objects, it will 
probably finish quickly. 
You can monitor search 
progress in ECP, or you 
can log out and wait 
until you get an email 
notification. It's also 
possible to run more 
than one search at the 
same time. When your 
search status changes 
to Succeeded, which 
you can see in the right 
pane of ECP, as Figure 4 shows, you can 
open the results. On the Results line, scroll 
right and you'll see a link, [Open], which 
you can click to open the Discovery Search 
Mailbox. Click the My Mail option, and the 
Discovery Search Mailbox opens in OWA. 
Inside this mailbox, you'll have folders for 
each search that you've performed, named 
as each search was named. By expanding 
these folders, you can find the mailboxes, 
folders, and messages that meet the search 
parameters, as Figure 5 shows. You can open 
each item and see its content as well as all its 
other properties, such as the folder where it 
resides, sender and recipient, and time of 
send. It's possible for the same message to 
appear multiple times in your results—if 
you performed a search across multiple 
mailboxes, one user could have a message 
in the Sent Items folder and another could 
have it in the Inbox. 


A discovery search can also be initiated 
by using EMS. Although using ECP is con¬ 
venient for performing a single search from 
time to time, EMS is a much more flexible 
option if you need to perform searches on 
a regular basis. You can use the code in 
Listing 1 to initiate a discovery search. This 
command initiates a discovery search on 
the mailbox Damir Dizdarevic and searches 
a date range that covers the year 2009. 
It searches for the words password and 
confidential, and it looks only for email 
messages with these keywords, including 
unsearchable messages. 

Legal Hold 

In addition to searching the contents of pri¬ 
mary and archive mailboxes, you can use 
Multi-Mailbox Searches on items that users 
have deleted. Under some circumstances, 
such as a court order or lawsuit, it might be 
necessary to control not just regular email 
correspondence but also items that specific 
users deliberately delete. Before discuss¬ 
ing this technology, it's worth mentioning 
changes implemented in the Exchange 2010 
dumpster. In previous versions of Exchange, 
the dumpster was a view stored per folder. 
Using this approach, items in the dumpster 
stayed in the folder where they were soft- 
deleted (either by pressing Shift+Delete in any 
folder or Delete from within the Deleted Items 
folder), but they're marked with the ptag- 
DeletedOnFlag flag. These items are marked 
in the store to be excluded from normal Out¬ 
look views and quotas. In addition, data with 
this flag can't be searched or indexed. These 
items were recoverable by end users by using 



Figure 4: A completed search shown in ECP 
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Figure 5: The folder structure in the Discovery Search Mailbox showing the results of a search 


the Recover Deleted Items tool accessible 
through OWA, and the user was also able to 
permanently delete these items. 

Exchange 2010 has a Dumpster 2.0. 
Unlike version 1.0, the new version isn't a 
simple view but a folder called Recover¬ 
able Items. This folder is located inside the 
user's mailbox in the Non-IPM subtree, and 
it isn't viewable through the UI. This folder 
is indexed, it can be searched, and you can 
prevent deletions from this folder by imple¬ 
menting legal hold. Also, it's possible to apply 
a quota to this folder. In Exchange 2010, when 
a user deletes an item, it's no longer marked 
with a ptagDeletedOnFlag flag; instead, it 
goes to the Deletions subfolder within the 
Recoverable Items folder. From this folder, 
a user can retrieve items that were deleted. 
However, the user is no longer able to per¬ 
manently delete items from this folder. If a 
user deletes an item from Recoverable Items, 
it goes to the Purges subfolder. The user can 
no longer access this item, but an administra¬ 
tor can, which prevents users from hiding or 
destroying items intentionally. 

Dumpster 2.0 is a basic principle of the 
legal hold feature. You can use the legal hold 
feature to: 


• place a hold on users' mailboxes and 
keep mailbox items in an unaltered state 

• preserve mailbox items that users 
attempt to delete after the hold is placed 

• preserve mailbox items automatically 
deleted based on messaging records 
management (MRM) retention policies 

Legal hold is enabled on a per-mailbox 
basis, and it's basically transparent to the 
end user because retention policies con¬ 
tinue to operate. By enabling it, you preserve 
practically all mailbox items from both the 
primary mailbox and Personal Archive, 
even if the user deletes something, and you 
can perform discovery searches on these 
items as well. 

Items in the Recoverable Items folder 
aren't calculated toward the user's mail¬ 
box quota, which is good for the user. 
The Recoverable Items folder has its own 
quota, and two parameters apply to this 
quota: RecoverableltemsWarningQuota 
and RecoverableltemsQuota. The default 
RecoverableltemsWarningQuota and 
RecoverableltemsQuota values are set 
to 20GB and 30GB respectively. If these 
quotas are reached, an event is logged in 
the application log of the Mailbox 
server, so it's important to monitor 
this event log. If you want to modify 
quota values for a mailbox database, 
you use the Set-MailboxDatabase 
cmdlet, or you can use the Set- 
Mailbox cmdlet if you want to do it 
on an individual mailbox basis. 


To enable legal hold on a user mailbox, 
you use following command in EMS: 

Set-Mailbox user@domain.com 
-LitigationHoldEnabled $true 

To remove a legal hold, you would use the 
same command but replace $true with 
$false. Legal hold also includes an option that 
automatically alerts users through Outlook 
2010 that a hold has been placed on their 
mailboxes. If your organization requires that 
users on legal hold be informed, you can add 
a notification message to the mailbox user's 
Retention Comment property. This properly 
can be set by using the -RetentionComment 
switch in EMS. Outlook 2010 displays the 
notification in the Backstage view. 

When performing a discovery search 
on mailboxes where legal hold is enabled, 
your results include not only items from 
regular mailbox folders but also items from 
the Recoverable Items folder that match the 
search keywords. You use the same proce¬ 
dure for searching messages on legal hold 
as described before for discovery searches; 
no additional procedure is required. 

Use the Power Wisely 

As you can see, Exchange 2010 has powerful 
and user-friendly tools for searching and 
tracking users' email correspondence. How¬ 
ever, these tools can be potentially dangerous 
if they're used by unauthorized people. In 
some scenarios, even administrators can be 
unauthorized, despite the fact that they have 
the technical ability to use this technology. 
In order to be sure this technology isn't mis¬ 
used, you should carefully monitor member¬ 
ship changes on the Discovery Management 
role group, as well as enforce restricted group 
membership through Group Policy. Also, be 
sure to partner with your legal and manage¬ 
ment teams to set search policies and criteria 
and to determine who you place in the Dis¬ 
covery Management role group. ^ 
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Listing 1: Creating a Discovery Search Through EMS 


New-MailboxSearch -Name "SearchName" 

-StartDate "1/1/2009" -EndDate "12/31/2009" 
-SourceMailboxes "Damir Dizdarevic" 
-TargetMailbox "Discovery Search Mailbox" 
-SearchQuery '"password" AND "confidential"' 
-MessageTypes Email 
-IncludeUnsearchableltems 
-LogLevel Full 
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I recently needed to print an airline e-ticket in Internet Explorer (IE) using my Windows 7 note¬ 
book in a small guesthouse. The hotel owner offered me his printer, which I connected to my 
notebook. He suggested that I'd need the driver disk to complete the installation. I declined, 
knowing that my Internet-connected notebook would locate the appropriate driver on Windows 
Update, which it did within seconds, and I was able to print. The entire process was fast and 
painless, and most importantly, didn't require me to elevate my standard user account to admin 
privileges to complete the installation. 

The first step many sys admins take when provisioning a new computer, especially notebooks, is to 
move domain user accounts into the local administrators group and, worse still, disable User Account 
Control (UAC) in Windows Vista and later. This is often done to help in situations similar to that 
described above, where users need to install a device driver or perform some other admin-level task. 
However, changes in the implementation of UAC and the security model in Windows 7 make it more 
realistic for users to run without admin privileges. 


Changes to 
UAC help you 
configure Least- 
Privileged User 
Accounts 

by Russell Smith 


Installing Devices 

The DevicePath registry value has existed in Windows for a long time. It lets admins specify trusted loca¬ 
tions in addition to the default %SystemRoot%\inf folder where the system searches for device drivers 
when a new device is connected. Starting with Windows 7, standard users can add signed drivers to the 
local driver store from locations specified in the DevicePath registry value or Windows Update. 

If you store driver packages on the network, you can modify the DevicePath value in the registry 
to include the appropriate network path to make sure Windows scans both the in-box drivers and the 
network repository: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ 
DevicePath. Additional paths should be separated from each other by using semicolons: %SystemRoot%\ 
Inf;\\servemame\drivers. 

Windows 7 still requires that drivers be signed with a valid certificate that's trusted by the local 
computer. Additionally, 64-bit versions of Windows have special requirements for kernel-mode drivers, 
which must be signed by a Software Publishing Certificate from Microsoft's list of approved Certifica¬ 
tion Authorities (CAs). (See the list at www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx.) 
Although the majority of devices available can now be installed in Windows 7 without admin privileges, 
the Windows Driver Kit contains the tools required to sign device drivers (www.microsoft.com/whdc/ 
devtools/wdk/wdkpkg.mspx). 

Windows 7 and Vista contain a utility, pnputil.exe, that can be used to pre-stage drivers in the local 
driver store. After a driver is placed in the local store, it's considered trusted and will install when a user 
connects the associated device. While pre-staging drivers by using pnputil.exe might not be necessary, 
it provides the most reliable user experience when a previously uninstalled device is connected. Drivers 
already added to the local driver store can be enumerated using pnputil.exe and specifying the -e switch. 

A Group Policy setting in Windows 7 and Vista lets you specify devices that standard users can 
install by GUID. The Allow non-administrators to install drivers for these device setup classes policy 
setting can be found in Windows Server 2008 and later under Computer Configuration\Policies\ 
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Administrative Templates\System\Driver 
Installation. Standard users can install 
device drivers in the following scenarios: 

• Windows includes a driver that 
supports the device being connected. 

• The driver for the device has been 
pre-staged by an administrator in the 
local driver store using pnputil.exe or 
dism.exe. 

• A driver signed with a valid certificate and 
trusted by the local computer is available 
on Windows Update or in a location 
specified in the system's DevicePath 
registry value (Windows 7 only). 

• A driver signed with a valid certificate and 
trusted by the local computer is available 
and the associated device GUID is listed 
in the Allow non-administrators to install 
drivers for these device classes policy 
setting (Vista and above). 

Network Printers 

As if deploying and managing printers 
isn't hard enough, introducing standard 
user accounts on your workstations can 
be a challenge. Much confusion surrounds 
the ability of standard users to install 
drivers for networked printers. One over¬ 
looked advantage of utilizing Windows 
Print Servers on your network is that in 
most cases, users don't require admin 
privileges to install network printers hosted 
on Windows Servers. If the printer driver 
installed on the print server is an in-box 
Windows driver (i.e., included as part of the 
default Windows installation), or a signed 
printer driver package, users don't require 
admin privileges to install those printers. 
Furthermore, Group Policy can be utilized 
to deploy printers via the Print Manage¬ 
ment console without requiring users to 
have admin privileges. 

Because many companies don’t want 
the expense of running a Windows Print 
Server, there are some workarounds to 
get other networked printers installed for 
standard users. The key problem in dealing 
with networked printers that aren't hosted 
on a Windows Print Server is that to deploy 
the printer, a local TCP/IP port must be 
configured on each client, which requires 
admin rights. 

Group Policy Preferences can be used to 
deploy TCP/IP printers to standard users, 
but the catch is that for the initial deploy¬ 
ment, the printer must be installed on a 


Windows Print Server to distribute the driver. 
After the printer has been installed on all 
the required devices, the Windows Print 
Server can be switched off and print jobs 
sent directly to the device. In practice, using 
Group Policy Preferences to deploy TCP/IP 
printers to standard users has a couple of 
caveats: 

• You'll need to deploy the Group Policy 
Preferences client-side extensions to 
computers not running Windows 7. 

• If you use computer configuration 
preferences to deploy TCP/IP printers, 
you should additionally disable the Point 
and Print Restrictions setting in Group 
Policy under Computer Configuration\ 
Administrative Templates\Printers 

to ensure that warnings or elevation 
prompts aren't shown during the 
installation. 

• Group Policy Preferences supports 
deployment of printers only if the 
WinPrint print processor is selected when 
installed for deployment on the Windows 
Print Server. If you select anything else, 
the print processor must already be 
installed on devices to which the printer 
will be deployed. The WinPrint print 
processor might not support advanced 
functionality of your printer. 

Unwanted UAC Elevation Prompts 

A few applications insist on being run with 
admin privileges without good reason. For 
example, you log in as a standard user, 
try to launch an application, and you're 
presented with a UAC elevation prompt 
demanding the password for an adminis¬ 
trator account. Failing to enter a password 
and clicking No in response to Do you 
want to allow the following program to 
make changes to this computer? means you 
won't be able to run the program. 

At first glance, it might seem there are 
only two solutions: Run the application with 
admin privileges or turn off UAC, neither of 
which is desirable. Each executable on a sys¬ 
tem can be accompanied by an application 
manifest, which is an .xml file that specifies 
several parameters in relation to how the 
application interacts with UAC. Usually 
application manifests are embedded inside 
executable files, but they can sometimes be 
standalone files in an application directory. 

To work around the problem, Micro¬ 
soft has included a shim as part of the 


application compatibility infrastructure. 
RunAsInvoker enables the application to 
run with the privileges associated with 
the creation process, without requiring 
elevation. Wherever possible, however, 
it's preferable to modify the executable's 
manifest. 

Heaven Tools has a program called 
Resource Tuner (www.heaventools.com/ 
resource-tuner.htm) that lets admins modify 
application manifests embedded in pre¬ 
compiled executables. Running the tool 
and modifying the .xml code couldn't be 
simpler. All you need to do is find the 
Manifest folder in the resource browser and 
change the requestedExecutionLevel value 
from requireAdministrator to aslnvoker, 
then save the changes to the executable. 
Here's an example of the security tag in an 
application manifest file: 

<security> 

<requestedPrivileges> 
crequestedExecutionLevel 

level="requireAdministrator" 
uiAccess="false"/> 

</requestedPrivi1eges> 

</security> 

If you're using Visual Studio (VS), you can 
use mt.exe to add or modify an application 
manifest. It's part of the Windows SDK. 

If modifying the application manifest 
isn't possible, you can load the Applica¬ 
tion Compatibility Toolkit (ACT) 5.5, a 
free download from Microsoft, and use 
Compatibility Administrator to create a 
compatibility fix using the RunAsInvoker 
shim, then deploy the resulting database 
to your workstations: 

1. Log in to Windows 7 as an adminis¬ 
trator and install ACT. 

2. Open Compatibility Administrator in 
the Application Compatibility Toolkit 5.5 
folder on the Start menu, and below Cus¬ 
tom Databases in the left pane, select New 
Database and press Ctrl+R. 

3. Name the new database and press 
Enter. 

4. Press Ctrl+P to create a new appli¬ 
cation fix. In the Create New Application 
Fix dialog box, type the name of the pro¬ 
gram to be fixed. 

5. Click Browse and find the executable 
you want to apply the fix to and click Open. 
Click Next to continue. 
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Figure 1: The Compatibility Fixes page with RunAsInvoker selected 


6. On the Compatibility Modes screen, 
select None under Operating Systems 
and click Next. On the Compatibility Fixes 
screen, scroll down the menu and select 
the RunAsInvoker fix, which Figure 1 
shows. 

7. At this point, you can click Test Run 
to see if the fix has the desired effect on 
the application. Click Next to continue. 

8. On the Matching Information screen, 
you can fine-tune how the compatibility 
engine identifies the executable. Let's leave 
the default settings and click Finish. 

9. Click the Save icon at the top of the 
Compatibility Administrator window (see 
Figure 2), and save the database to the 

C drive on the local computer. 

10. Select Install from the File menu 
and click OK to confirm the installation 
of the database. You should now be able 


to run the targeted 
application without 
the need to elevate 
privileges. 


After the compatibility 
fix has been thoroughly 
tested, it can be dis¬ 
tributed. To do so, use 
Group Policy and a 
batch file that calls the 
sdbinst.exe command 
line. 


UAC as a Security 
Boundary 

Microsoft has famously 
stated that UAC is 
a security feature, not a security bound¬ 
ary. Though logging in using a protected 
administrator account doesn't provide a 
security boundary, a standard user account 
with UAC enabled provides a boundary 
of sorts. The default UAC configuration 
enables what's known as over-the-shoulder 
(OTS) elevation. If UAC is triggered by an 
application installer, or an application mani¬ 
fest requires an executable be launched 
with admin privileges, you are prompted 
to enter an administrator password before 
you can proceed. This process takes you to 
the secure desktop, a session that's isolated 
from the user's desktop to stop interference 
from malware, where you can safely enter 
an administrator password. It sounds pretty 
secure, right? 

The dilemma with OTS elevation is that 
malware could imitate the secure desktop 



Figure 2: The Compatibility Administrator window 


and steal the administrator password as it's 
entered by an unsuspecting user. Hence, 
Microsoft recommends disabling OTS 
elevation for standard user accounts in 
Group Policy to mitigate this vulnerability 
in enterprise environments. 

Disabling OTS elevation also means 
that you'll no longer be able to right- 
click an executable and select Run 
as administrator from the menu. This 
might seem like a drawback for support 
staff, but you can hold Shift and right- 
click to select the Run as different user 
menu option. 

An alternative to disabling OTS eleva¬ 
tion is to turn on the Secure Attention 
Sequence (SAS) in Group Policy set¬ 
tings. Instead of being automatically 
taken to a secure desktop for the OTS 
elevation prompt, users must press 
Ctrl+Alt+Del before the secure desktop 
is presented. As the SAS can't be emu¬ 
lated other than by physically pressing 
Ctrl+Alt+Del, the user can be sure that 
the secure desktop is genuine. SAS can 
be enabled in the Require trusted path 
for credential entry Group Policy setting 
under Computer Configuration\Policies\ 
Administrative Templates\Windows 
Components\Credential User Interface. 
Bear in mind that SAS might present a 
considerable inconvenience if elevation 
is required on a regular basis. 

No Security Utopia 

Windows 7 makes it easier than ever to 
work as a standard user. However, as more 
users log in without admin privileges, 
malware is likely to evolve and target the 
user's login session. Technologies such as 
Software Restriction Policies in Vista and 
earlier and AppLocker, available in Win¬ 
dows Server 2008 R2 and in some editions 
of Windows 7, can be used for application 
whitelisting, which will become important 
in preventing the execution of malware of 
this type. ^ 
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Two IRM- 
enabled 

features combat 

information 

leakage 


by John Howie 



O rganizations of all sizes struggle to protect confidential data—customer names and 
addresses, future product plans—from accidental disclosure. Information leakage or data 
loss can lead to financial penalties and loss of partner and customer confidence. Now, 
with the release of Microsoft Exchange Server 2010, businesses have a new weapon in this 
struggle. Exchange 2010 can leverage an organization's Active Directory Rights Manage¬ 
ment Services (AD RMS) infrastructure—powered by Information Rights Management 
(IRM)—so that Exchange administrators can configure rules to automatically rights-protect email mes¬ 
sages and attachments based on specific criteria. 

Exchange 2010 also introduces another exciting feature that lets users send, receive, and reply to 
rights-protected email messages through Outlook Web App (OWA; formerly Oulook Web Access). In 
earlier versions of OWA, users could read rights-protected email messages and attachments if they 
installed the Rights-Management Add-On (RMA), but this solution didn't work for browsers other than 
Internet Explorer (IE) and users couldn't reply or create new rights-protected messages. Let's examine 
how to set up and configure Exchange 2010 to leverage these two capabilities. 

What the Technology Enables 

I'll assume that you already have an Exchange 2010 infrastructure installed but not yet configured for 
Exchange 2010 IRM. Recall that AD RMS is the underlying infrastructure consisting of servers and data¬ 
bases, and that IRM is the collection of features offered by Microsoft Office products such as Word, Excel, 
PowerPoint, and Outlook—and server systems such as SharePoint—that enables AD RMS to protect 
sensitive data contained in corporate documents and email messages. 

With AD RMS and IRM, rights-protected documents and email messages are encrypted so that only 
users and groups specified by the author can read them and—depending on the rights granted—modify, 
print, or distribute them. Also thanks to AD RMS, Exchange administrators can set up conditions (e.g., 
sender, recipients, subject, content, attachments) for automatic rights protection. This feature removes 
the need for the email sender to make a decision to rights-protect the email or even be aware of policy 
surrounding the dissemination of sensitive or confidential information. 


Preparing AD RMS for Exchange 2010 Integration 

There are some steps you need to take to prepare AD RMS for Exchange 2010. First, you must be using 
AD RMS on Windows Server 2008. If you're running the older Windows RMS on Windows Server 2003 
or Windows 2003 R2, you need to upgrade. I recommend that you upgrade to Server 2008 R2 so that 
you can skip the following two steps to prepare AD RMS on Windows Server 2008 RTM. 

If you're running AD RMS on Server 2008 RTM, you first need to install Server 2008 SP2 on all 
your RMS servers that Exchange 2010 will use—at a minimum, that means all the servers in your AD 
RMS certification cluster. Once SP2 is installed, you'll need to follow the instructions in the Microsoft 
article "A hotfix is available for the Active Directory Rights Management Services role in Windows 
Server 2008: August 26, 2009" (support.microsoft.com/kb/973247). Simply click View and request 
hotfix downloads at the top of the page. Make sure that you download the correct hotfix; versions are 
available for both 32-bit and 64-bit systems. 
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Figure 1: ServerCertification.asmx's security settings 


Regardless of whether you're running 
AD RMS on Server 2008 RTM or R2 ; 
you need to configure discretionary ACLs 
(DACLs) on an AD RMS web service file on 
every server in your certification cluster. 
On each server, open the IIS Manager 
from the Administrative Tools folder and 
expand the Web Server node, then the 
Sites nodes, then the Default Web Site 
node, then the _wmcs node. Right-click 
the Certification node, and select Explore. 
In the Explorer window, right-click the 
ServerCertification.asmx file, select Prop¬ 
erties, and go to the Security tab. You 
need to grant the Exchange Servers group 
permissions to read and execute the file. 
You also need to grant the AD RMS Service 
Group the same rights. (This group is a 
local group on the AD RMS Server itself.) 
When you've given these two 
groups the permissions on the 
file, ServerCertification.asmx's 
security settings—which you can 
access by clicking the Advanced 
button in the ACL Editor—will 
look like those in Figure 1. 

Next, you need to add the 
Federated Delivery mailbox (a 
system mailbox created during 
the installation and setup of your 
Exchange 2010 organization) to 
the RMS Super Users group. The 
Super Users group is extremely 
powerful: A member of this 
group can access any rights- 
protected content protected by 


the organization's AD RMS system. For this 
reason, it's disabled by default, and when 
it is enabled, membership to the Super 
Users group should be strictly controlled. 
If Super User access is turned off, enable 
it, create a new email-enabled distribution 
group in AD, and make that group the RMS 
Super Users group. Figure 2 shows con¬ 
figuration of the RMS Super Users group 
on AD RMS 2008. 

The user logon name belonging to 
the Federated Delivery mailbox is 
FederatedEmail.4clf4d8b-8179-4148- 
93bf-00a95fale042. To add the mailbox to 
the Super Users group, run the following 
command in Exchange Management Shell 
(EMS): 

Add-DistributionGroupMember 


<RMSSuperL)sers> -Member 
FederatedEmai1.4clf4d8b-8179-4148- 
93bf-00a95fale042 

where RMSSuperUsers is the name of the 
distribution group representing the Super 
Users group. 

Once you have the name of the Super 
Users group, add the Federated Delivery 
mailbox user account to the group. Note 
that once you add the Federated Mail¬ 
box user to the Super Users group, the 
RMS group membership cache will need 
to expire before changes to the Super 
Users group appear; that can take up to 
24 hours. 

Configuring OWA for IRM 

Exchange 2010 includes the concept of a 
Client Access role, which contains the OWA 
feature. This feature permits users to access 
their mailboxes from their web browser, 
and send and receive email. The Client 
Access role doesn't support IRM, which 
means that users can't send and receive 
rights-protected messages without a con¬ 
figured Client Access role. If a user attempts 
to read a rights-protected message in OWA 
before the Client Access role has been con¬ 
figured, he or she will see a message similar 
to the one in Figure 3. 

To configure the Client Access role, the 
Exchange administrator needs to use EMS to 
run a cmdlet called Set-IRMConfiguration. 
This command's syntax is 

Set-IRMConfi gu rati on 

-Internal LicensingEnabled $true 
-OWAEnabled $true 



Figure 2: Configuring the Super Users group 
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Figure 3: Using OWA to read a rights-protected email message before Exchange 2010 configuration 


You can run this command once for your 
entire Exchange organization, and every 
Exchange 2010 server with the Client 
Access role will start serving users rights- 
protected messages through OWA. With 
such a configuration, users will see some¬ 
thing similar to what Figure 4 shows. If you 
have sub-enrolled licensing servers, and 
you want Exchange 2010 to use one, you'll 
need to use the -LicensingLocation switch 
to specify the URL of the AD RMS licens¬ 
ing server. 

Recipients of rights-protected messages 
can reply to them using OWA, depend¬ 
ing on the rights granted to them by the 
author of the message, and the replies will 
be rights-protected. This is a new feature of 
Exchange 2010. OWA users can also create 
rights-protected messages. 

There are two key differences between 
the use of Exchange 2010 OWA to consume 
rights-protected messages and the use of 
the RMA for IE combined with Exchange 
2007 OWA. The first is that when using 
Exchange 2010 OWA, users aren't required 
to connect to the AD RMS infrastructure to 
obtain rights account certificates (RACs) 
or End User License Agreements (EULAs). 
Instead, Exchange 2010 acts on behalf of 
the user and accesses the rights-protected 
content as a Super User before serving 
the content in a web page. This makes it 
easier for users to consume rights-pro¬ 
tected messages and doesn't require AD 


RMS administrators to configure Extranet 
Cluster URLs and external access for users 
outside the corporate firewall. 

The second difference is thatthe end users 
are able to cut and paste rights-protected 
messages and take screenshots. This func¬ 
tionality wasn't possible with the RMA for 
IE. For this reason, it's possible to configure 
which users can use IRM via OWA using the 
-IRMEnabled Boolean flag on the Exchange 
Set-OwaMailboxPolicy PowerShell cmdlet, 
so that enterprises can prevent users who 


might have access to high-risk informa¬ 
tion from accessing rights-protected email 
via OWA. If you have many users and you 
need to enable or disable access to IRM 
through OWA, the Set-OwaMailboxPolicy 
cmdlet becomes unwieldy. An alternative 
approach is to create one or more additional 
OWA virtual directories for each category 
of users, configure access to each, and use 
the -IRMEnabled Boolean flag to the Set- 
OwaVirtualDirectory PowerShell cmdlet. 

Using Transport Rules 

IRM features are available in Office applica¬ 
tions, including Outlook, and can be uti¬ 
lized by end users to protect sensitive data. 
One problem with IRM prior to Exchange 
2010 is that if users forget to manually apply 
rights protection to sensitive data, that 
data might get leaked or distributed inap¬ 
propriately. Exchange 2010 lets Exchange 
administrators create Transport Rules that 
can apply an AD RMS rights policy tem¬ 
plate to both email messages and any 
supported attachments based on matching 
conditions, such as the email address of the 
sender or recipient, words in the subject of 
the message, words in the body of the mes¬ 
sage, or any other condition that Transport 
Rules support. Exchange 2010 ships with a 
built-in rights policy template—called Do 
Not Forward—that, as the name suggests, 
prevents recipients from forwarding the 
email message. Exchange 2010 will pull 



Figure 4: Using OWA to read a rights-protected email message after Exchange 2010 configuration 
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Edit Transport Rule 


Conditions 


Help 


Step 1: Select condition^): 


0 when the Subject field or message body contains specific words 
l~l 'when the message header contains specific words 
f~l when the From address contains specific words 

□ when the Subject field matches text patterns 

□ when the Subject field or the message body matches text patterns 

□ when the message header matches text patterns 
l~l when the From address matches text patterns 

□ 'when any attachment file name matches text patterns 

l~l with a spam confidence level (SCL) rating that is greater than or equal to lii 

□ 'when the size of any attachment is greater than or equal to limit 

Step 2: Edit the rule description by clicking an underlined value: 


~3 


J 


d 


Apply rule to messages 

when the Subject field or message body contains 'iabberwockv' 
rights protect message with 'Jabberwockv Project 1 


< Back Next > 


Figure 5: Transport Rule with RMS Template 


additional rights policy templates from AD 
RMS, if they're configured. 

To create a Transport Rule to automati¬ 
cally rights-protect email messages that 
match the rule's conditions, launch the 
Exchange Management Console (EMC) 
on an Exchange 2010 Hub Transport 
server, expand the Microsoft Exchange On- 
Premises node, expand the Organization 
Configuration node, click the Hub Trans¬ 
port node, then click the Transport Rules 
tab in the console's right pane. Right-click 
in the pane, and select New Transport Rule 
from the menu to launch the New Trans¬ 
port Rule wizard. In the Introduction step, 
enter a name for the Transport Rule and an 
optional comment before clicking Next. In 
the Conditions step, select the conditions 
from the top that will cause the rule to fire. A 
common condition for applying rights pro¬ 
tection is when the Subject field or message 
body contains specific words, as Figure 5 
shows. When you select a Condition that 
requires further details, such as a keyword 
or keywords, you'll need to specify them by 
clicking underlined values, then edit the 
rule description in the bottom of the wizard 
step. If you specify multiple conditions, all 
must be satisfied for the rule to fire. 

When you're finished selecting con¬ 
ditions and editing the rule description, 
click Next to get to the Actions step. In 
the Actions step, select the Rights protect 
the RMS template option from the top of 
the wizard step and click the underlined 
value RMS template to launch a dialog box 


that shows available RMS templates (rights 
policy templates). Select the RMS you want 
to apply, click OK to return to the wizard, 
then click Next to get to the Exceptions step. 
If you have no exceptions, click Next to get 

There are two 
key differences 
between the use 
of Exchange 2010 
OWA to consume 
rights-protected 
messages and the 
use of the RMAfor 
IE combined with 
Exchange 2007 
OWA. 

to the Create Rule step. Click New to create 
your Transport Rule. Once the rule has been 
created, click Finish to exit the wizard. 

Using Transport Rules to automati¬ 
cally apply rights policy templates based 
on conditions can be resource inten¬ 
sive, and in certain situations—such as 
when there are many Transport Rules or 
when many messages match Transport 


Rules—performance of your Exchange 
infrastructure might be compromised, and 
users might experience significant delays 
in sending and receiving messages. For this 
reason, Transport Rules should be used 
sparingly. 

If a rights policy template is deleted 
from your AD RMS installation, you need 
to edit any Transport Rules that reference 
the template. If you don't, Exchange 2010 
will return nondelivery reports (NDRs) to 
the senders of messages that match the 
Transport Rule conditions whose actions 
specify that the now-deleted rights policy 
template be applied to the message, and 
the intended recipients will never receive 
the email. Rather than delete a rights policy 
template, you should archive it. Exchange 
2010 can still use an archived template, 
but it's otherwise inaccessible to users. 
Exchange 2010 will also return an NDR to 
the sender of a message if a rights policy 
template can't be applied because the AD 
RMS infrastructure is unavailable. For this 
reason, ensure that your AD RMS infrastruc¬ 
ture is fault-tolerant by building out clusters 
of certification and licensing servers. 

Two Great Features 

Exchange 2010 offers enterprises addi¬ 
tional tools to combat information leakage, 
whether accidental or intentional, by 
incorporating IRM into the product. You're 
now familiar with two great IRM-enabled 
features: the ability to send, read, and 
reply to rights-protected email messages 
through OWA, and the ability to apply 
rights policy templates to messages based 
on matching conditions. Exchange 2010 
offers other exciting IRM features that I 
haven't covered, including the ability to 
integrate with Office 2010's Outlook to 
enforce policy on clients rather than on 
servers—a capability that can significantly 
offload processing—and to decrypt rights- 
protected content to meet compliance 
requirements. I'll cover these features in 
upcoming articles. ^ 
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Migrating to SharePoint 2010 

Making the move to the next level of collaboration 


I n 2008, SharePoint became the fastest 
server-side product from Microsoft to gross 
$1 billion in revenue. That's no surprise as 
there is no other single product that can 
deliver the diversity of features that is so 
desperately needed by today's organizations. 
Going into 2010, Microsoft has not been resting on its 
laurels and will be releasing a major upgrade, dubbed 
SharePoint 2010. 

Although this release has significant user experience, 
performance, and other improvements, migrations will 
test the mettle of even seasoned IT pros as they upgrade 
their current SharePoint environments. New hardware 
and software requirements, architectural changes, and 
UI changes in the product will require solid migration 
and testing plans to ensure these upgrades proceed 
smoothly. 

My goal of this migration article isn't to illustrate 
every detail step-by-step. Instead, I'll highlight the major 
aspects of a migration and prepare you for some of the 
gotchas. This guidance is based on the beta 2 version 
of SharePoint 2010 and applies to both SharePoint 
Foundation (the successor to Windows SharePoint 
Services—WSS—3.0) and SharePoint Server, which 
replaces Microsoft Office SharePoint Server (MOSS) 
2007. 

Migration Preparation 

As you prepare for your migration effort, the first item 
to note is the new system requirements. SharePoint 
2010 will be available only in 64-bit and will require 
Windows Server 2008 SP2 or Server 2008 R2 as your 
base OS. On the back end, you must also have a 
64-bit edition of Microsoft SQL Server. Supported SQL 
Server versions are 2005 SP3, 2008 SP1, and 2008 R2. 
SharePoint also requires the Microsoft .NET Frame¬ 
work 3.5 SP1 and a few other components, so check 
technet.microsoft.com/library/cc262485(office.l4) 
.aspx for the full list. Those of you building develop¬ 
ment environments will be able to run SharePoint 2010 
on Windows Vista SP1 or Windows 7, but this won't be 
supported for production use. 

Another key prerequisite is that you must patch 
your SharePoint farm to at least MOSS 2007 SP2 before 
you upgrade. You can determine your current build by 
looking at SharePoint's version number. Simply go to 
Central Administration, click the Operations tab, then 
select Servers in Farm. If your version number is less 


than 12.0.0.6421, you'll need to upgrade to at least SP2. 
Note: For those still running SharePoint Portal Server 
(SPS) 2003, you'll first need to upgrade to MOSS 2007 
before you can migrate to 2010. For more details on 
migrating from SPS 2003, see the Microsoft SharePoint 
Team Blog post "Planning for Upgrade from SharePoint 
Portal Server 2003 to SharePoint Server 2010" at blogs 
.msdn.com/sharepoint/archive/2010/01/04/planning- 
for-upgrade-from-sharepoint-portal-server-2003-to- 
sharepoint-server-2010.aspx. 

In SharePoint SP2 (and improved in the October 
2009 cumulative update), Microsoft added a new 
operation to Stsadm to help facilitate your upgrade to 
2010. The utility is called Pre-Upgrade Checker, and 
you can think of it as an upgrade compatibility report. 
I strongly recommend running the tool on your cur¬ 
rent SharePoint farms. It assesses the health of your 
farm and suggests areas that you should correct before 
upgrading. By health, I mean it will inspect the state 
of various components, such as features, site defini¬ 
tions, and content databases, and it tells you whether 
these are functioning properly. You run the command 
directly from one of the SharePoint servers in your 
farm. It might take anywhere from a couple of minutes 
to an hour or more depending on how many databases 
you have and the overall complexity of your farm. Here 
is the basic command syntax: 
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stsadm -o preupgradecheck 


This command won't make any changes to your 
environment. It's safe to run multiple times, although I 
recommend running it during off-peak hours because 
of the load it will place on your servers. When the execu¬ 
tion is complete, the tool prepares a detailed HTML web 
report. Figure 1 displays a sample report I ran on one of 
my farms. 

Reading through and understanding the report will 
take some time. Blocking (or failed) issues are those 
that you must address before upgrading. As Figure 1 
shows, SharePoint isn't running on a 64-bit edition 
of Server 2008. The report will also include useful 
information items. Most issues have links to online 
materials that explain the problem in more 
Although these information items might not be major 
problems, they could complicate the upgrade, 
doing an upgrade won't resolve them. As much 
as possible, you should resolve these problems 
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SharePoint Products and Technologies Pre-Upgrade 

Check Report 

This report contains potential upgrade blocking issue(s), as well as information useful for upgrade planning in 
general. Address any reported issues before attempting to upgrade the current SharePoint farm, or any 
database from it. It is possible that during upgrade you may encounter errors which are not captured by 
this report, in which case please refer to http://Qo.microsoft.com/fwlink/?LinkId=157732 for guidelines. 

Start time: Sunday, January 03, 2010 3:43:19 PM 
End time: Sunday, January 03, 2010 3:44:34 PM 


Potential Upgrade Blocking Issues 


Issue : This server machine in the farm does not have a 64 bit version of Windows Server 2008 
SP2 or higher installed. 

Upgrading in-place to SharePoint 2010 requires a 64 bit edition of Windows Server 2008 SP2 or higher. 

If you are planning to perform an in-place upgrade to SharePoint 2010, please upgrade the server 
machines in your farm to a 64 bit edition of Windows Server 2008 SP2 or higher, or migrate the current 
content databases from this farm to a new farm with servers running 64 bit edition of Windows Server 
2008 SP2 or higher. Before attempting to install or upgrade to SharePoint 2010, please ensure that you run 
the SharePoint 2010 pre-requisites installer beforehand to ensure you have the correct set of prerequisites 
and patches installed. For more information about this rule, see KB article 954770 in the rule article list at 
http://ao.microsoft.com/fwlink/?LinkID=120257 . 


Figure 1: Pre-Upgrade Checker report 


before you upgrade. For more details on 
the Pre-Upgrade Checker, see “Run the 
pre-upgrade checker (SharePoint Server 
2010)" at technet.microsoft.com/library/ 
CC26223 1 (office. 14) .aspx. 

Another important preparation step is to 
review your current customizations. Share- 
Point customizations come in many forms, 
and I'm referring to those that involve 
changes to the file system on your Share- 
Point servers. This can include custom 
features, site definitions, field types, web 
parts, event receivers, assemblies; manual 
changes to files in the SharePoint root 
(C AProgram Files\Common Files\Microsoft 
Shared\web server extensions\ 12); changes 
to web.config files; third-party software; and 
custom SharePoint solutions. SharePoint 
can be customized in many ways, so this is 
not a complete list. While this is a tall order, 
it might be very important, as I'll explain 
shortly. 

Do you have a change log that docu¬ 
ments what changes were made? If not, 
start working on one today! This is also 
important for disaster-recovery pur¬ 
poses. A useful tip is to use a program like 
SourceForge's WinMerge (sourceforge.net/ 
projects/winmerge) to compare the contents 
of your SharePoint root to an unmodified 
one. If you run third-party software, this 
would be a good time to contact the vendor 
to see if the software is compatible with 
SharePoint 2010. 

Upgrade Options 

The next step in your migration plan is 
to decide what type of upgrade you'll be 


doing. As it relates to the actual servers in 
the farm, Microsoft provides only two major 
upgrade options: in-place and database- 
attach. These are very different approaches, 
so I'll review each of them. For those that 
have experience with upgrading from SPS 
2003 (or WSS 2.0), you'll notice that the side- 
by-side and gradual upgrade options are 
no longer options when upgrading to 2010. 
Third-party migration products that give 
you more options are also available. 

In-place upgrade. An in-place upgrade 
is designed to be the basic upgrade option. 
It's an all-at-once upgrade in which you 
upgrade all the servers in your farm at 
the same time. Although basic, it's risky 
because once you start the upgrade, there's 
no cancel option to go back. Fortunately, 
the upgrade works fairly well, and even if 
you experience hiccups, it should resume 
where it left off. To perform an in-place 
upgrade, you must meet the 64-bit and 
Server 2008 requirements covered already. 
So, if some servers in your current farm are 
running Windows Server 2003, you will first 
need to upgrade those before you begin an 
in-place upgrade. 

If you decide an in-place upgrade is right 
for you, plan on and schedule downtime for 
the upgrade process. How long the upgrade 
will take depends on the speed of your serv¬ 
ers and the amount of data. Small farms 
might take only a couple of hours, whereas 
large ones might take a day or more. 

Before you begin, you should stop the 
World Wide Web Publishing service on 
each web front end to prevent any HTTP 
requests. Then, perform a full farm backup. 


This is just a precautionary step in case the 
upgrade should fail and you need to return 
to your previous version. 

Start the upgrade by installing Share- 
Point 2010 on each of the SharePoint servers. 
The install is similar to the previous version, 
although a useful new option can automati¬ 
cally install all software prerequisites. The 
installer will detect a previous version and 
will tell you that you're about to do an in- 
place upgrade. 

Once the install part is done, you need to 
run the SharePoint Products and Technolo¬ 
gies Configuration Wizard on the server 
that is hosting the Central Administration 
website. This is where the upgrade actu¬ 
ally begins. During the upgrade process, 
each content database will automatically 
be upgraded. If you're running MOSS, 
each Shared Service Provider (SSP) and its 
settings will be upgraded and converted 
into new service applications 

Database-attack upgrade. A database- 
attach upgrade is done on a brand new 
farm on new servers. Compared with an 
in-place upgrade, it is safer since you don't 
disturb your current environment. Keep in 
mind that this will take more time as you 
need to manually reapply farm settings 
and customizations, and upgrade each 
content database one by one. Despite the 
extra work, database-attach upgrades are 
also a great way to test SharePoint 2010 
without having to do an in-place upgrade. 
If you don't meet the system requirements 
such as Server 2008 or 64-bit, this type of 
upgrade is your only option. 

After performing the installation and 
creating a new SharePoint 2010 farm, you 
manually create your web applications. 
I recommend using the same settings as 
your current farm, including the URLs such 
as portal.company.com. You might want to 
add temporary entries into your hosts file 
(C:\windows\system\drivers\etc) to bypass 
DNS name resolution. After creating each 
web application, you can delete the default 
content database that is created. 

At this time, you should apply all the 
file-system customizations that you docu¬ 
mented, keeping in mind that the SharePoint 
root now points to the 14 folder (C:\Program 
Files\Common Files\Microsoft Shared\ 
web server extensions\14). This is why it's 
important to capture all the file-system 
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customizations that you made. You might 
be curious what would happen if you miss a 
few settings. The result depends on the kind 
of setting. If it's something fundamental, 
such as a site definition, none of the websites 
based on that definition will work. If it's a 
web part feature, most likely the web part 
won't display. It's best to try it out and see 
what happens. 

When you're ready, you attach your old 
content databases to the new farm. You 
start by restoring the most recent content 
database backups from your current farm 
to your new farm. To attach to SharePoint, 
you should use the addcontentdb operation 
from Stsadm. Here is the syntax for attaching 
to a single content database: 

stsadm -o addcontentdb -url 
<url> -databasename <dbname> 
-databaseserver <sqlserver> 

When running the operation, SharePoint 
will look at the version of the database, 
and if it detects an old version, it will 
start the upgrade on it. An upgrade prog¬ 
ress indicator displays to the console, and 
depending on the size, it could take min¬ 
utes or hours to upgrade. Depending on 
your SQL Server hardware, you might be 
able to run several upgrades simultane¬ 
ously. This is called a parallel database 
upgrade; you just open another command 
prompt and run Stsadm again. You can also 
follow the database upgrade process from 
Central Administration. Just click the Check 
upgrade status link from the main page. 

For each database you upgrade, two log 
files will be created in your \ 14\LOGS folder. 
One is a detailed log showing each step 
involved in the upgrade session. Another 
will show just the warnings and errors that 
were found in the upgrade. You should find 
this latter one easy to read, allowing you to 
focus only on possible problems. 

When reading the logs, you should 
know that just because an error occurred, it 
doesn't mean the database didn't upgrade. 
Similarly, not getting an error doesn't mean 
that everything is fine. As with any upgrade, 
it is essential to test to make sure that existing 
capabilities still function correctly. 

For those running MOSS 2007, you should 
know that a database-attach upgrade won't 
fully upgrade your SSP into new service 


0 


TsT 


Figure 2: 


applications. When you attach 
an SSP database, only your user 
profile store is upgraded. Search 
settings, Excel Service settings, 

Business Data Catalog (BDC) 
application definitions, and 
other settings must be recreated 
from scratch. 

Visual Upgrade 

One of the best features in Share- 
Point 2010 is the improved UI, 
which is implemented with 
a new set of master pages, 
cascading-style sheets (CSS), 
and JavaScript files. Unfor¬ 
tunately, this will probably be 
incompatible if you have any 
existing visual customizations. 

For example, you might be using 
a custom master page or CSS to 
brand your environment. To help 
ease the transition to the new UI, SharePoint 
has something called Visual Upgrade. This 
lets you have SharePoint display the previ¬ 
ous UI, allowing you to gradually upgrade 
the UI on a website-by-website basis. Site 
collection administrators can also apply the 
new UI to all websites in the site collection 
in one step. 

When you view an upgraded website, it 
should look similar to how it looked before 
the upgrade. This might cause you to wonder 
if it was upgraded at all. You'll see the old 
navigation menu, the old master page, and 
the old theme. When in this mode, you won't 
get newUI features such as the ribbon. 

To switch to the new UI, you can use the 
Visual Upgrade menu command. This is on 
your Site Actions menu, as Figure 2 shows. 

When you click Visual Upgrade, you'll 
see three modes to choose from: Display 
the previous UI, Preview the new UI, and 
Use the new UI. The default is to display the 
previous UI. The preview mode is a useful 
way to test drive the new UI to see how 
well it works, allowing you to switch back 
if needed. Once you switch to the third set¬ 
ting (use the newUI), you can go back only 
by writing code to reset the setting. 

If you haven't made any visual customi¬ 
zations, the new UI should work just fine. 
However, keep in mind that it will take some 
getting used to, so make sure you factor this 
into your training plan for the migration. For 


Give Feedback 


Site Actions 


Create 

Add a new library, list, or web page to 
this website. 

Edit Page 

Add, remove, or update Web Parts on 
this page. 

5ite Settings 

Manage site settings on this site. 

Edit Site in SharePoint Designer 
Create and edit lists, pages, views, and 
workflows, or adjust settings. 

Site Workflows 

Start or check the status of site 
workflows. 

Visual Upgrade 

Preview the updated user interface. 


Visual Upgrade menu command 


those environments that have heavy visual 
customizations, you'll probably find that 
there's some rework needed to get these to 
display properly in SharePoint 2010 when 
using the new UI mode. Make sure you fac¬ 
tor this work into your migration and testing 
plans. 

Moving Forward 

With this overview, I've outlined the prepa¬ 
ration steps that will enable you to start your 
migration project. I've also given you infor¬ 
mation that will help you choose between 
the two different upgrade types, in-place 
and database-attach. For your production 
environments, you should consider using 
the database-attach method for testing. 
Another option if you have a virtualization 
infrastructure such as VMware or Micro¬ 
soft Hyper-V is to do a physical-to-virtual 
(P2V) migration to duplicate your current 
environment. This would allow you to test 
an in-place upgrade. Finally, I reviewed 
how Visual Upgrade lets you decide which 
websites you want to use the new UI. 
Armed with this guidance, you'll be able to 
build and execute a solid SharePoint 2010 
migration plan. 

Editor's Note: This article was originally 
published in the March 2010 issue of 
SharePointProConnections Magazine, 
www.sharepointproconnections.com. ^ 
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PRODUCTS 


NEW & IMPROVED 


■ Cloud Computing 

■ Mobility 


■ Virtualization 

■ Scripting 



Maintain BlackBerry Email Access 
Despite Outages 

Mimecast has today announced the 
launch of Mimecast Continuity Services, 

a product that lets IT managers provide 
uninterrupted email access to BlackBerry 
smartphone users in the event of a Micro¬ 
soft Exchange outage, BlackBerry Enterprise 
Server (BES) failure, or Research in Motion 
infrastructure downtime. By bypassing the 
BES and communicating directly with the 
handset from the cloud, Mimecast's Con¬ 
tinuity Service ensures that critical mobile 
workers can remain connected—sending, 
receiving, and deleting mail as normal— 
during server downtime. Integration 
between Mimecast's security, continuity, 
and archiving service elements manages 
enforcement of email security, data loss 


prevention, and 
archiving policies. 

To learn more, visit 
www.mimecast 
.com. 

Quest Announces 
vWorkspace 7.1 

Quest Software 
announced a 
new release of 
vWorkspace 7.1, 
a single virtualiza¬ 
tion solution for 
application deliv¬ 
ery and desktop 
deployments. The 
new release includes enhancements such 
as EOP Xtream to speed WAN performance 


and integration with Microsoft Windows 
Server 2008 R2 Remote Desktop Services 
to automate deployment and administra¬ 
tion. EOP Xtream reduces the effects of 
network latency to deliver faster screen 
updates and smoother interaction. Quest 
vWorkspace 7.1 supports multiple central¬ 
ized desktop platforms, including Microsoft 
Hyper-V-based virtual desktops, Remote 
Desktop Session hosts (formerly known 
as Terminal Servers), and physical/blade 
PCs. For more information, visit quest.com/ 
vworkspace/new-release.aspx. 

Lock User Access with Deskman 

Anfibia Software has released 
Deskman 9.3, a security tool to control 
users'access level, such as locking specific 
keystrokes, designing a custom Start 
menu, or locking unwanted or unsafe 
applications. New features include a new 
desktop lock (which prevents users from 
modifying desktop icons), the option to 
stopTaskman and Regedit, a fixed upgrad¬ 
ing system, and other minor bug fixes. 

The Standard Edition of Deskman starts at 
$49. To learn more, visitanfibia-soft.com/ 
products/deskman. 

Lansweeper Inventory and 
Reporting Tool Upgraded 

Hemoco Software has released 
Lansweeper 4.0, the latest version of 


PRODUCT 

BIG-IP Helps Organizations Shift 
Focus to Cloud 

F5 Networks has released BIG-IP 10.2, solution lets enterprise customers simplify 
the latest version of the company's the management of application services— 

product software to support the F5 such as access, security, and optimization— 

device which, according to the vendor, within a dynamic services model using 
"delivers high availability, improved both traditional data center and cloud corn- 
performance, application security, and puting environments, 
access control, all in one unit." F5 sees "The cloud is evolving as the next gen- 

BIG-IP as a solution moving organiza- eration of IT," said Erik Giesa, VP of product 
tions closer to what the company calls management and product marketing at F5. 

"On-Demand IT," bringing organizations "Whether a business is planning to deploy 

to build an entire architecture that a private cloud or take advantage of exter- 

moves in and out of the cloud. nal public cloud services, it needs to put its 

The solution offers added secu- enterprise requirements first and leverage 

rity and management features, in an an integrated architecture for on-demand 
attempt to compensate for many of the mobility, orchestration, and automation. F5 

concerns people have about the cloud. is committed to helping customers utilize 

With F5's unified application delivery their existing infrastructures, while extend- 

architecture, enterprise customers can ing and reusing them to enable a common 

create security enforcement policies that cloud architectural model—regardless of 
provide user access according to specific where IT resources actually reside." 

IT requirements and business needs. For To learn more, visit f5.com/products/ 
instance, F5's new BIG-IP Edge Gateway big-ip. 
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its automated inventory, reporting, and 
PC administration tool. Lansweeper lets 
you inventory your entire Windows net¬ 
work, view all hardware and software 
details, and offers over 200 build-in 
reports. The latest version of the tool 
offers device scanning (routers, printers, 
etc.), Windows event log error scanning, 
hardware and software change detec¬ 
tion, product key scanning support for 
Microsoft and Adobe plain text keys, and 
enhanced Active Directory integration. 

A freeware version of Lansweeper is avail¬ 
able, or the paid version starts at $299 for 
a company license. To learn more, visit 
lansweeper.com. 

CloudAFS Offers Combined Cloud 
and On-Premises Storage Solution 

Gladinet has released Gladinet 
CloudAFS, a new approach to data 
storage management that attaches 
cloud storage to existing file servers 
and manages data transfer between the 
on-premises network and the cloud. In 



this way, CloudAFS offers the fast access 
of on-premises storage with the expansive 
storage of a cloud solution, offering an 
intriguing compromise for organizations 
that have reservations about the cloud 
but also see its potential strengths. Access 
control is provided by native integration 
with Active Directory or NT Domains, and 
scheduled backups are supported and 
can be based on folders or file types. A 
free trial is available, or the solutions costs 
$4.99/month for one license. To learn 
more, visit gladinet.com. 

Binary Research Unveils Easy-to- 
Use Scripting Tool 

Binary Research International announced 
FastTrack Scripting Host 2010, a rapid 
scripting tool that simplifies the work of 
system and network administrators who 
find a need to write scripts in order to 
automate day-to-day tasks. FastTrack Script¬ 
ing Host is designed to be easy to use for 
non-programmers, letting users execute 
one script line to perform one operation. 

According to the 
vendor, anyone with 
an IT background 
can write helpful 
scripts using the 
tool. Pricing starts 
at $18 per seat for 
25 machines and 
costs $7.20 per seat 
for 5,000 machines. 

To learn more, visit 
binaryresearch.net.^ 


Paul’s Picks 

www.winsupersite.com (\ 



SUMMARIES of in-deptfl 
product reviews on Paul 
Thurrott's SuperSite for 
Windows 


SharePoint2010 

PROS? Somewhat improved Ul for admins 
and users; many functional additions; can host 
Office Web Applications internally 
CONS 64-bit requirement could shut out 
smaller shops; doesn't support IE 6 
RATING: ♦♦♦♦O 
RECOMMENDATION: Microsoft's collabo¬ 
ration and document management server 
defies simple description. It's a corporate 
intranet portal solution, a blogging tool, an 
online document repository, and a knowledge 
worker collaboration platform all in one, 
and it's successfully used for public-facing 
websites. Now it can even host an internal 
version of Office Web Apps in tandem with 
Microsoft SQL Server. It works nicely with non- 
Microsoft browsers but not, go figure, with IE 
6. SharePoint is as big and hairy as ever, but 
the sheer variety of functionality it offers is 
astonishing. 

CONTACT: Microsoft • www.microsoft.com 
DISCUSSION www.winsupersite.com/ 
server/sp2010.asp 

Windows Virtual PC and XP 
Mode (Update) 

PROS; Free, no longer requires hardware vir¬ 
tualization support; XP apps run side-by-side 
with Win7 apps; many users get a free version 
of Windows XP to run virtually 
CONS Performance isn't great; not as full- 
featured as rival virtualization solutions 

RATING: ♦♦♦oo . 

RECOMMENDATION: Microsoft's middle-of- 
the-road Windows Virtual PC (WVPC) had three 
things going for it when it was released in late 
2009: It was (and still is) free. Users of Windows 
7 Professional, Enterprise, and Ultimate got 
a free, licensed copy of Windows XP to run 
virtually (XP Mode). And it offered a semi¬ 
seamless way to run (virtualized) Windows XP 
applications side by side with native Windows 
7 applications. Fast forward to mid-2010 and 
WVPC no longer requires virtualization support 
in the BIOS and CPU of the computer. But you 
can't run 64-bit OSs virtually, and if you're look¬ 
ing for a good Help desk or developer solution, 
WVPC doesn't fit the bill. WVPC and XP Mode 
are what they were last year: Decent but not 
best in class. 

CONTACT: Microsoft • www.microsoft.com 
DISCUSSION www.winsupersite.com/ 
win7/ff_xpmode.asp 
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Figure 1: Capturing network traffic 
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Colasoft Capsa 7.1 

At some point in the career of 
almost any IT professional, there 
comes a time when a detailed 
examination of network traffic 
at the packet level is required to 
troubleshoot a problem. These 
problems often occur at the worst 
time, and having the ability to 
quickly perform a detailed traffic 
analysis is critical to resolving the 
problem swiftly and efficiently. 

In the field of network analyz¬ 
ers, there's a range of choices. On 
the one end, you can obtain free 
tools that support basic capture 
tasks but require you to perform 
much of the analysis. On the 
other end, you can purchase mul¬ 
tifunctional tools that capture the 
data and perform the analysis for 
you. 

I took at look at the recently 
released Capsa 7.1 from Cola¬ 
soft to see how it performed. 

I was especially interested to see how it 
fared against free tools such as Microsoft's 
Network Monitor and Wireshark (formerly 
Ethereal). I ran the software on a Windows 
XP Professional SP3 computer. 

Capsa downloaded quickly, and the 
installation process was brief. During 
installation, I was given the opportunity 
to install additional Colasoft tools such 
as a packet generator. I declined because 
I was focusing on the network ana¬ 
lyzer, but it was nice to see those tools 
included as an installation option and 
not as an additional download. I was also 
happy that the installation process gave 
me full control over the creation of the 
desktop and Quick Launch icons instead 
of littering my test computer with icons 
everywhere. Finally, I was expecting to 
have to reboot my computer after the 
installation, as I assumed that the installa¬ 
tion routine would make changes to the 
network stack. I was happy to see that 
this wasn't the case and no reboot was 
required. 

When you start Capsa, an interface 
presents you with intuitive options that 
let you select the network you want to 
analyze and the type of analysis you want 


to perform, such as Full Analysis, Traf¬ 
fic Monitor, Security Analysis, and Email 
Analysis. I wanted to analyze traffic, so I 
selected Traffic Monitor and clicked the 
large play button. The analysis began 
immediately. 

As Figure 1 shows, Capsa uses the 
Fluent interface introduced in Microsoft 
Office 2007. As such, it's extremely easy to 
navigate and almost, dare I say, fun to poke 
around the various tabs as the product 
captures network traffic. The information 
that the product can capture can be daunt¬ 
ing, but it was easy to filter the capture 
to look for only HTTP traffic. The filter 
interface provides an excellent graphical 
representation of what your newly created 
filter will do. 

I was able to drill down into my newly 
captured HTTP traffic to the packet level 
and examine all the details. Because it was 
encrypted HTTP Secure (HTTPS) traffic, I 
couldn't look into the data payload, but all 
the header details were available. I was also 
able to examine entire TCP conversations, 
from the initial handshake all the way down 


to the FIN flag. The graphical representations 
that this product can produce are simply 
wonderful. 

Overall, Capsa is a joy to use. My only 
complaint is the high price tag, which 
might make it difficult to justify if you don't 
spend a majority of your time examining 
network traffic, as free (and excellent) 
alternatives exist. Despite this, I highly 
recommend this product and would be 
glad to add it to my toolbox. ^ 

InstantDoc ID 125186 


Capsa 7.1 

PROS: Fully featured; easy to use; extremely 
comprehensive 

CONS: High price tag 

RATING: ♦♦♦♦❖ 

PRICE: $549 for a single-seat license without 
maintenance 

RECOMMENDATION: If network administration 
or engineering is your full-time job, you can't go 
wrong with this product. 

CONTACT: Colasoft • 888-467-2634 • 
www.colasoft.com 
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T here's a big fat mess on the doorstep of any IT shop that needs to support users on mobile 
devices these days. You know what I'm talking about if you've struggled to figure out which 
mobile platform is the best choice for your business in terms of security and manageabil¬ 
ity. You know what I'm talking about if you've had executives dictate which type of mobile 
devices their workforces should use, regardless of cost or current IT policies for device pro¬ 
curement. You know what I'm talking about if you've had users ask to have their personal 
smartphones connected to the corporate Microsoft Exchange server. 

So as an IT pro, you're looking at that flaming bag on the doorstep and you know it's your job to 
stomp on it to put out the fire—even though that's likely just to create a bigger mess. As Brian C. Reed of 
BoxTone said with regard to the mobility support space, "Pandora's box is open." And that's a fairly apt 
metaphor. Let's take a look at the trends in enterprise smartphones, see how we got where we are, and 
figure out where we're headed. 

What Is a Smartphone—and Why? 

To start, it might be useful to think about what exactly the term smartphone really means. "In the past, 
it was essentially a phone that had PDA functionality and maybe some form of Internet connection or 
web browsing and email," said Paul Thurrott, senior technical analyst for Windows IT Pro. "I think a 
modern smartphone—and this would apply to the ones that are being used in enterprises—is really 
that stuff but also the apps platform—a formalized application platform." In other words, it's not enough 
anymore to get your email and even browse the web—along with, oh yeah, that's right, actually make 
phone calls—on your smartphone: Users want or need to run applications on the device as well. 

Whether or not you accept that as a useful definition, there's no denying the impact Apple's iPhone 
has had on the development of the smartphone market. From Apple's initial announcement of the iPhone 
back in 2007, it's been a must-have device among consumers, and although no one 
necessarily expected it to move into the enterprise, it has done just that. Various reports 
place iPhone market share at 25 percent or higher. As Thurrott said, "The iPhone is a 
force of nature. Apple, thus, is responsible for how we define what a smartphone is these 
days. You have to have that stuff that the iPhone has essentially because that's what a 
smartphone is." Thurrott went on to say that "the iPhone has been so popular that these 
consumer-oriented devices suddenly are being allowed into the business." 

And it's not just the iPhone; certainly phones using Google's Android OS have bene¬ 
fited from the trend the iPhone started, and even Windows Mobile and RIM BlackBerry 
devices have released more consumer-oriented devices—smartphones with full touch 
screens tied to some form of app store. "Enterprises used to be very restrictive about 
which phones their users could get and what features they had to have," Thurrott said. 

"And as these things have gained in acceptance, that [restrictiveness] has gone away." 

It's not just that consumer-oriented smartphones are being allowed into the 
enterprise: Users are choosing the phones that IT departments need to support. "Users 
feel they have the right to demand which devices they use," said Reed, who is the chief 
marketing officer for BoxTone, makers of mobile service management software. "Users 
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feel like they're in charge, especially the 
executives, so IT is being forced to react.... 
I've never seen a wave like this before in my 
20 years of tech, where the users were in so 
much control" 

Where We Are: A Snapshot 

It might seem strange to start off looking at 
where we are by talking about predictions 
for the future, but I do have a point. So, back 
in February, BoxTone released forecasts 
for the mobility space by 2015. You can see 
the full list of BoxTone's predictions on the 
company's website at www.boxtone.com/ 
News/Press/PressReleases/02_23_2010_ 
TopPredictions.aspx. First among these 
predictions is an expected rise in employ¬ 
ees with mobile devices connected to the 
enterprise from 10 to 15 percent today up to 
60 to 80 percent by 2015. However, in more 
recent conversations with its customers 
about their current mobility plans, that pro¬ 
gression might be moving much faster than 
BoxTone expected. "There's a tremendous 
growth in terms of adoption rate of mobile 
connected employees," Reed said. "We have 
customers who floated at 10,20 percent, 30 
percent of their employees connected to the 
enterprise from a mobile device who are 
expecting to double that this year." 

As a secondary point to its prediction 
about the rise in the number of connected 



mobile devices, BoxTone goes on to say that 
employee-owned devices will be a big part of 
this number. This is where end users are ask¬ 
ing—or demanding—that they be allowed to 
connect their personal iPhone, or Droid, or 
whatever smartphone they've fallen in love 
with, to the corporate email server. "The only 
way an organization is going to rapidly mobi¬ 
lize in that period of time at a low cost is going 
to be by allowing employee-owned devices to 
connect to the enterprise," Reed said. 

This point was echoed by Mark Gentile, 
president and CEO of Odyssey Software, 
makers of the mobile management solution 
Athena. "For mobile messaging, for cor¬ 
porate email access, we've definitely seen 
the trend to let employees buy their phone, 
maybe subsidize part of their plan, and let 
them hook it up to Exchange or their email 
servers," Gentile said. So businesses are get¬ 
ting cost-savings by not supplying the mobile 
device or the connection plan—unless they 
choose to offer some sort of subsidy—but 
the down side is the additional complexity 
in management to the IT department. 

Letting customers bring their own devices 
opens the door to supporting multiple mobile 
OSs within the organization. In the past, most 
companies probably chose a single mobile 
platform for all employees; BlackBerry or 
Windows Mobile have traditionally been the 
most enterprise-friendly, offering the security 
and provisioning features that businesses 
typically want. The iPhone and Android 
phones have yet to offer the full set of security 
features for best business integration. As Reed 
said, "Employee liability is a huge, intense 
debate for IT because, most specifically, this 
is the first time in history IT has had to deal 
with putting data and corporate information 
on an asset they do not own or control." 

There still seems to be an open question 
here about why smartphones have broken 
the rules of IT equipment supply. IT has 
always been able to control what PC or lap¬ 
top you can use to connect to the corporate 
network. Why are smartphones different? I'm 
not sure there's a good answer. As Thurrott 
said, "For whatever reason, phones are seen 
as such a convenience and a necessity that 
[companies are] allowing that to happen." 
Chalk it up to the consumerization of IT. 

Exchange ActiveSync 

So you've got rapid expansion in the 
number of mobile devices your business 


is supporting coupled with the need to 
support multiple mobile OSs. One of the 
factors that perhaps makes this situation 
bearable is the fact that Exchange Active- 
Sync (EAS) has become such a standard 
communication protocol. Recall that the 
first version of the iPhone released didn't 
offer EAS support, so getting connected 
to corporate email was difficult at best on 
that device. Only with the introduction of 
EAS to the iPhone 3G was corporate infil¬ 
tration truly possible. 

As Gentile pointed out, "Most of the 
handset makers are jumping on the 
Exchange ActiveSync protocol band¬ 
wagon." Microsoft developed the pro¬ 
prietary EAS so that Exchange Server 
could provide push synchronization of 
email, calendars, and other Outlook data 
to mobile devices. But eventually, the 
Exchange team realized they had a great 
resource in the protocol itself and began 
licensing it to third parties. As Exchange 
expert and Windows IT Pro senior contrib¬ 
uting editor Paul Robichaux said, "It was a 
very wise move on their part because it's 
been very good for Exchange as a mobile 
communication platform. It hasn't been as 
good for Windows Mobile." The result of 
letting other phone OSs use EAS has been 
increased competition for Microsoft's own 
smartphone platform. 

EAS lets mobile phones receive push 
email securely, and it's generally simple to 
set up the device to receive mail. EAS can 
also be used to enforce security policies 
and provide features such as remote device 
wipe. However, whether such features of the 
protocol are enabled is up to the individual 
handset maker that licenses it—and, as 
we've seen to this point, many of the fea¬ 
tures most wanted for enterprise security 
aren't being implemented yet or are being 
implemented slowly on the smartphones 
with the greatest user cachet. 

The Players: Strengths & Weaknesses 

The number of available mobile OSs is 
large. However, in the grand scheme, not 
all of them are going to be significant to 
businesses. Based on the discussions I've 
had with a variety of experts and from the 
reports and research I've read, four mobile 
platforms are worth watching: Android, 
BlackBerry, iPhone, and Windows Mobile. 
There might be others worth talking about. 
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top names from today's IT industry... the most 
well-known experts, delivering the most 
hard-hitting sessions that help you solve today's 
IT challenges and prepare for tomorrow. 
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whether it's on Exchange 2010 or Microsoft's 
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cloud offering. 
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year's slide deck - ensure that you're getting 
the best value for your training dollar. 
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professional network. Forget online social 
networking; Connections events are where 
you'll make the connections that help maintain 
and advance your career, or learn skills that keep 
your company ahead of others, or even create a new 
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learn, Connections conferences provide you 
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For instance, as Gentile said, "I wouldn't dis¬ 
count Nokia because they do have a pretty 
significant market share in Europe and even 
worldwide." Which is true; however, their 
presence in North America these days is 
almost nil. And it will be interesting to see 
what happens with Palm's WebOS after the 
HP purchase goes through, but there's noth¬ 
ing but speculation down that road today. 
So let's take a look at where each of the four 
current players excels, and the gaps they 
have that leave room for improvement. 

Android strengths. According to Thur- 
rott, Android "has simply duplicated Apple's 
strategy but they've done it with a product 
that is free—free for device makers to utilize 
on their own products." So they've got an OS 
with a really good user experience, and it's 
tied to an extensive app store, the Android 
Market. And because it's open source, 
Android attracts a lot of development, so 
you can find apps—both free and for a 
fee—that do just about everything. Another 
strength with Android is device choice; 
you can find Android-based smartphones 
from all the major handset makers and on 
a variety of carriers. "I fully expect Android 
to be one of the four major platforms going 
forward. And it's growing the fastest by far," 
Thurrott said. 

Android weaknesses. Security, clearly, 
is a major concern with Android devices 
being used in the enterprise at this point. 
Android 2.2, which has just been made 
available, supports remote device wipe 
and other enterprise security features—an 
important step—but it remains for the 
individual device makers and carriers to 
get together on when the update is avail¬ 
able for any given smartphone model. The 
open source nature of Android can also fall 
into the minus column because although 
there's a lot of third-party development, 
little is done to maintain overall quality of 
the apps available. 

BlackBerry strengths. BlackBerry has 
long been the enterprise standard for smart¬ 
phones and still by most accounts is the 
market leader for business use. As Robichaux 
put it, RIM's "focus has always been on the 
mobile device as an email platform. For 
a very long while, they had mobile email 
capabilities none of the other platforms could 
match. Now that the other platforms are 
starting to catch up, RIM is continuing to 
deliver device-management functionality 


that makes it really attractive to companies 
that want to have good control over what 
people can do with the devices, how they 
can be used." Security is a true strength of 
BlackBerry, achieved largely through Black¬ 
Berry Enterprise Server (BES), which lets IT 
departments tightly control device security 
and maintain company policies for mobile 
device use—such as blocking applications 
from being added. "Enterprises don't want 
users connecting to app stores and down¬ 
loading applications," Gentile said. "That 
creates chaos for the Help desk. Enterprises 
like controlled distribution of software." 

BlackBerry weaknesses. Although BES 
adds to security and performance, it also 
adds an extra level of management complex¬ 
ity. Robichaux described BES as a puppy: 
When you first get it, you have to work to 
train and housebreak it, but even past that 
initial phase it still requires care and feed¬ 
ing. "There are a lot of ongoing things you 
have to do to maintain it that you don't 
necessarily have to do if you're using just 
Exchange ActiveSync," he said. Additionally, 
the BlackBerry has always been aimed at 
the business market and therefore doesn't 
necessarily generate the user excitement of 
other platforms. RIM has launched an app 
store for BlackBerry, but as Thurrott said, 
"Their stuff has been a response to what's 
happened in the marketplace." Translation: 
They lag far behind in this area. 



SMARTPHONES 

iPhone strengths. "The strength of the 
iPhone, of course, is the app platform," Thur¬ 
rott said. That's right—you've all seen the 
commercials: "There's an app for that." Apple 
gets dinged sometimes for preventing certain 
apps from being sold in the Apple iTunes 
Store, but at least you know the apps are 
being vetted to maintain certain minimum 
standards. The iPhone also by all accounts 
presents a phenomenal user experience. 

iPhone weaknesses. Like Android OS, 
the iPhone initially had a poor security 
story, although it's been steadily improving. 
However, it still has a major drawback in 
provisioning that other smartphones don't— 
namely, the need to connect to a computer 
with iTunes to get started out of the box. As 
Robichaux said, "That raises a problem. If I 
want to provision iPhones on my network, 
I have to do one of two things. I either have 
to let my end users take the phone home 
and provision it at home—not a great idea. 
Or I have to install iTunes on my corporate 
PCs—also not a great idea because as soon as 
I do that there are all kinds of attack-surface 
issues, patch-management issues, other 
desktop support issues that come into play 
that don't exist for these other devices." Other 
smartphones can typically be provisioned 
over the air without the need to dock to a 
PC. Another huge limitation with the iPhone 
is its availability only from a single carrier, 
AT&T, which in some businesses might not 
even be an option. But when it comes to 
the iPhone, Thurrott sums it up best: "It has 
many limitations with regards to technical 
issues around multitasking or management 
issues in the enterprise, and so forth. And it 
doesn't matter. It just doesn't matter." 

Windows Mobile. It feels a little 
awkward, actually, to talk about Windows 
Mobile in this company. As Thurrott said, 
Windows Mobile is "an orphan." It's a 
dead-end. Since Microsoft announced 
its forthcoming Windows Phone 7 plat¬ 
form, would anyone seriously consider 
deploying Windows Mobile? Microsoft has 
pledged to continue support for its original 
mobile platform, but clearly the company 
is betting its future in the mobile space on 
Windows Phone 7. 

Nonetheless, Windows Mobile is still 
prevalent in businesses today, and as the 
original beneficiary of EAS, it's certainly 
designed with enterprise security in mind. 
As Thurrott said, "If you're interested in 
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managing a mobile environment, mobile 
devices from a central server, Windows 
Mobile is right up there, and they don't get 
a lot of respect for that. If you're a Microsoft 
shop, it's a semi-obvious choice." In addi¬ 
tion, Robichaux considers Outlook Mobile 
to be by far the best mobile email client, 
particularly for heavy email users. 

Windows Phone 7 

So let's talk about the real future for 
Microsoft. First announced at the Mobile 
World Congress in Barcelona last February, 
Windows Phone 7 is a completely new 
platform, not a continuation of Windows 
Mobile. You won't be able to upgrade 
Windows Mobile phones to Windows 
Phone 7 (although if Microsoft was really 
smart, they'd come up with some sort 
of exchange program to prevent current 
WinMo organizations from switching to a 
competing platform), but the new Micro¬ 
soft platform has been designed with the 
user experience as a very high priority. 
As Gentile said, Microsoft "definitely took 
a look at this and reevaluated from top to 
bottom. It's an incredible platform. We'll 
see what the hardware looks like, how well 
it performs, but so far it looks incredible." 

Although Windows Phone 7 is a new 
platform, it benefits from the experience 
Microsoft already has in enterprise 


deployments in mobility. "Microsoft has not 
done a good job of telling this story yet, but 
Windows Phone will be enterprise-ready 
on day one," Thurrott said. "They've been 
talking up the consumer stuff because that's 
where all the excitement is in the market. 
But the truth is they're going to be exactly 
where Windows Mobile is from an enterprise 
perspective." So companies should feel com¬ 
fortable deploying the new platform from a 
security standpoint. Gentile also mentioned 
being impressed with the developer story 
around Windows Phone 7, based on Silver- 
light, which promises a fertile field for app 
development and third-party add-ons. 

Naturally, it remains to be seen what 
sort of impact Windows Phone 7 will have 
and whether it can reestablish Microsoft 
as a major player in the mobility space. 
If you scan the blogosphere, you'll find 
a lot of people sounding the death knell 
for Microsoft or claiming that no business 
would bother with Microsoft's new smart¬ 
phone platform. But from those who have 
actually tested the platform, all indications 
seem to be fairly positive. Ultimately, I think 
that while individuals may passionately 
dislike (or love) a particular company and 
its products, enterprises are less prone to 
be ruled by emotion and will tend to stick 
with what has worked for them in the past. 
Furthermore, as long as the trend for user 
choice of mobile devices continues, the suc¬ 
cess of Windows Phone 7 seems to rest on 
Microsoft to generate excitement out there 
among those users. We shall see. 

Where Is It All Going? 

As I said at the beginning, it's a big mess out 
there. It seems clear that no single mobile 
platform is going to dominate the market 
in the foreseeable future, and all indications 
are that businesses are expanding from sup¬ 
porting a single mobile OS to supporting at 
least two or three. In a poll I posted back in 
January, just under 28 percent of respon¬ 
dents indicated their companies were sup¬ 
porting only one mobile OS, and 12 percent 
were already supporting more than four dif¬ 
ferent mobile OSs (windowsitpro.com/go/ 
smartphonehardware). Managing smart¬ 
phones in the enterprise will continue to be 
a complex issue. 

A couple of interesting suggestions 
came out of the discussions I had with 
some mobility experts. For instance, Mark 


Gentile thought that the way to address the 
security problem with user-owned mobile 
devices would be to develop what he called 
"bi-modal profiles." The idea is that you 
could have a business profile on the phone 
that could adhere to all the corporate policies 
for application use and so forth and a sepa¬ 
rate personal profile, partitioned at the OS 
level, that you could switch the phone into 
during off hours so that you could down¬ 
load apps, play games, and all the other 
things businesses typically don't want you to 
do—all without jeopardizing the security of 
corporate data. Seems like a great idea—any 
developers out there paying attention? 

And Brian C. Reed talked about the 
smartphone as a social media tool. "Orga¬ 
nizations are going to start looking at the 
mobile device as being a customer revenue 
driver," he said. Traditionally, a smartphone 
has been seen as a productivity tool. How¬ 
ever, with the rise of social media web¬ 
sites such as Facebook and Twitter, and 
their continued integration into business— 
witness Outlook 2010's Social Media 
Connector—and consumers' increased 
reliance on smartphones, it makes sense 
that savvy businesses will need to use these 
devices to connect with their customers. 
And that leads back to more employees 
needing support for their phones from IT. 

The Foreseeable Future 

The four major players all have big updates 
expected before the end of this year. In the 
case of the more consumer-oriented plat¬ 
forms, Android and iPhone, their updates 
are expected to add better security and fea¬ 
tures to generally make them more attrac¬ 
tive to businesses. Windows and BlackBerry 
already excel in enterprise features; their 
updates are aimed at appealing more to the 
consumer market. Yes, the more you look 
at it, the more of a hodgepodge the picture 
becomes. So if it's your turn to answer the 
door when that flaming bag shows up, I 
hope you're wearing your muck boots—or 
better yet, take a fire extinguisher. ^ 
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Event Log Managers 

Automate the tedious task of reviewing event logs 

by Karen Bemowski 


L et's face it. Reviewing event logs is about as fun and 
tedious as reviewing bank, credit card, 401(k), explana¬ 
tion of benefit (EOB), and other statements. You know 
you should be reviewing them regularly to look for 
errors, potential problems, and important messages, but 
something else always seems to come up, so you put it 
off until tomorrow. If tomorrow never comes, you might consider 
getting an event log manager. 

Event-log management products—aka event log managers— 
can help end the procrastination and the worries associated with 
neglecting that important task. They can automatically monitor your 
event logs and alert you to system performance problems and pos¬ 
sible security risks. This month's buyer's guide gives you an overview 
of 13 event log managers. 

Virtually all the event log managers on the market today monitor 
six key Windows logs: 

• Application log 
• Directory Service log 
• DNS Server log 
• File Replication Service log 
• Security log 
• System log 

Since that's the case with all the event log managers in this year's 
buyer's guide, these six logs aren't listed in the product table. 
Instead, the buyer's guide concentrates on whether the products 
monitor additional event logs, such as the event logs of other Micro¬ 
soft applications (e.g., Exchange Server, SQL Server), third-party 
applications (e.g., IBM WebSphere, DHCP for Linux), and custom 
event logs. 

Most event log managers not only monitor event log data but also 
help you analyze and act on it. To this end, they offer features such as 
event filtering and automatic alerts. Event filtering sifts through and 
categorizes events based on their content. When certain error codes 
or event-description keywords are found, the event log manager 
automatically notifies you. The notifications can be delivered a 


variety of ways, including delivery by email, IM, and Short Message 
Service (SMS). With some event log managers, you can have error 
codes or event-description keywords automatically trigger an action. 
For example, you might have a specific error code trigger the imme¬ 
diate shutdown of a server. 

Although some events warrant immediate attention, the 
majority do not. However, you'll still probably want to know 
about them. That's where reporting capabilities come into play. 
Some event log managers will automatically generate prebuilt 
reports for you or let you design custom reports. Others can 
generate compliance reports that can help you prove compli¬ 
ance with regulations or provide historical trending so that you 
can see event trends over time. 

Besides covering monitoring, analysis, alerting, and reporting 
features, the buyer's guide covers the basics. For example, it tells 
you the supported Windows server and client OSs and whether the 
event log monitor is agent-based (i.e., an agent is installed on each 
computer to be monitored) or agentless (i.e., at least one server 
or workstation is used to monitor the event logs of servers and 
workstations on a network). 

Note that the information in this buyer's guide is meant to 
jump-start, not replace, your own research. The buyer's guide 
provides the vendors' URLs and telephone numbers so that you 
can further explore their products and ask them questions. If you 
come across a product that you think should be in this buyer's 
guide, let me know about it. Although I tried to make this buyer's 
guide as comprehensive as possible, some products might have 
been left out due to an oversight or due to a lack of response from 
a vendor. (The information comes from vendor representatives 
and resources.) I'll gladly add your product to the online product 
table as a service to our readers if it falls within the confines of this 
buyer's guide. ^ 
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Company 

Product 

Price 

Supported Windows 

Server OSs 

Supported Windows 

Client OSs 

ArcSight 

408-864-2600 

888-415-2778 

arcsight.com 

ArcSight Logger 

Starts at $20,000 

Windows Server 2008, Windows 
Server 2003, Windows 2000 

Server, and earlier 

Windows 7, Windows Vista, 

Windows XP, Windows 2000 

Professional, and earlier 

Breakout Software 

908-561-5210 

www.breakoutsoft.com 

MonitorIT 

$99 per server (1 to 99 servers); 
$84 per server (100 to 249 serv¬ 
ers); $69 per server (250 to 499 
servers); $54 per server (500 to 
9,999 servers) 

Server 2008, Windows 2003, 
Windows 2000, and earlier 

Windows 7, Vista, XP, 

Windows 2000 Pro 

Corner Bowl Software 

866-501-8670 

866-543-9470 

www.cornerbowl.com 

Corner Bowl Log Manager 

$259 for license to run on a 
single computer and manage 
logs from 50 computers 

Server 2008, Windows 2003, 
Windows 2000 

Windows 7, Vista, XP, 

Windows 2000 Pro 

FSPro Labs 

+7 903 438 4643 
www.fspro.net 

Event Log Explorer 

Starts at $99.95 per server (1 to 

5 servers) 

Server 2008, Windows 2003, 
Windows 2000, and earlier 

Windows 7, Vista, XP, 

Windows 2000 Pro 

GFI Software 

+44 (0) 870 770 5370 
www.gfi.com 

GFI EventsManager 

$45 to $220 per server; 

$4.50 to $22 per workstation 

Server 2008, Windows 2003 

Windows 7, Vista, XP 

LogRhythm 

303-413-8745 

www.logrhythm.com 

LogRhythm 

$25,000 

Server 2008, Windows 2003, 
Windows 2000, and earlier 

Windows 7, Vista, XP, 

Windows 2000 Pro, 
and earlier 

NETIKUS.NET 

312-624-7698 

877-638-4587 

www.netikus.net 

EventSentry 

Starts at $85 

Server 2008, Windows 2003, 
Windows 2000, and earlier 

Windows 7, Vista, XP, 

Windows 2000 Pro, 
and earlier 

NetWrix 

201-490-8840 

888-638-9749 

www.netwrix.com 

NetWrix Event Log Manager 

Ranges from $70 to $750 per 
managed server depending on 
total license count; freeware 
version also available 

Server 2008, Windows 2003, 
Windows 2000 

Windows 7, Vista, XP, 

Windows 2000 Pro 

NRG Global 

626-478-2138 

877-398-9537 

www.nrgglobal.com 

LogWatch 

$125 

Server 2008, Windows 2003, 
Windows 2000 

Windows 7, Vista, XP, 

Windows 2000 Pro 

Omnitrend 

860-673-8910 

www.omnitrend.com 

ServScan 

Ranges from $299 (5 computers 
supported) to $1,299 (unlimited 
number of computers supported) 

Server 2008, Windows 2003, 
Windows 2000, and earlier 

Windows 7, Vista, XP, 

Windows 2000 Pro, 
and earlier 

Quest Software 

949-754-8000 

800-306-9329 

www.quest.com 

Quest InTrust 

Contact Quest 

Server 2008, Windows 2003, 
Windows 2000, and earlier 

Windows 7, Vista, XP, 

Windows 2000 Pro, 
and earlier 

TNT Software 

360-546-0878 

877-546-0878 

www.tntsoftware.com 

ELM Event Log Monitor 

$125 per Windows server 

Server 2008, Windows 2003, 
Windows 2000, and earlier 

Windows 7, Vista, XP, 

Windows 2000 Pro, 
and earlier 

Zoho (ManageEngine 
Division) 

925-924-9500 

888-720-9500 

www.eventloganalyzer.com 

ManageEngine EventLog 

Analyzer 

Starts at $395 (annual 
subscription fee for 10 
hosts pack) 

Server 2008, Windows 2003, 
Windows 2000, and earlier 

Windows 7, Vista, XP, 

Windows 2000 Pro, 
and earlier 
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Agent-Based 
or Agentless 
Monitoring 

Monitors the Event 

Logs of Other Microsoft 

Applications 

Monitors the Event Logs of 

Third-Party Applications 

Monitors 

Custom 

Event Logs 

Monitors 

Multiple 

Systems 

Real-Time 

Monitoring 


Both 

Yes—ACS/Microsoft Operations Manager 
(MOM), DHCP Server, Exchange Server, 
Forefront, IEF, IIS, Internet Authentication 
Service (IAS)/Remote Authentication 

Dial-In User Service (RADIUS), ISA Server, 
SQL Server, and WINS 

Yes—out-of-the-box support for over 300 products 
(e.g., SAP, WebSphere, WebLogic) and can extend 
to other applications through the ArcSight flex 
connector 

Yes 

Yes 

Yes 


Agent-based 

Yes—any Windows event log, including 
the new Windows EVTX event logs 

Yes—any third-party event logs 

Yes 

Yes 

Yes 


Agentless 

Yes—any event log 

Yes—any event log 

Yes 

Yes 

Yes 


Agentless 

No 

No 

Yes 

Yes 

No 


Agentless 

Yes—any application that stores logs 
in its own or an existing event log (e.g., 
Exchange Server, IIS Server, ISA Server) 

Yes—any application that stores logs in its own or 
an existing event log 

Yes 

Yes 

Yes 


Both 

Yes—out-of-the-box support for any log 
in the MS event log format 

Yes—out-of-the-box support for any log in the MS 
event log format as well as support for Syslog, flat 
file, NetFlow, Secure Device Event Exchange (SDEE), 
OPSEC LEA, and ODBC-compliant database logs 

Yes 

Yes 

Yes 


Agent-based 

Yes—any event log 

Yes—any event log 

Yes 

Yes 

Yes 


Both 

Yes—all types of Windows event logs 

Yes—all Syslog-capable network devices and 

servers 

Yes 

Yes 

Yes 


Both 

Yes—all event logs and text logs 

Yes—Any application logs 

Yes 

Yes 

Yes 


Agentless 

Yes—Exchange Server 

No 

Yes 

Yes 

Yes 


Both 

Yes—Audit Collection Services (ACS), 

DHCP Server, Excel, IIS, ISA Server, Proxy 
Server, and SQL Server 

Quest Recovery Manager for Active Directory, 

Quest ActiveRoles Server, and Quest Privilege 
Manager for UNIX 

Yes 

Yes 

Yes 


Both 

Yes—all event logs with registered event 
sources or installed event publishers 

Yes—all event logs with registered event sources or 
installed event publishers 

Yes 

Yes 

Yes 


Agentless 

Yes—DHCP Server, IIS FTP Server, IIS Web 
Server, and SQL Server 

Yes—DHCP for Linux, Oracle Audit Logs, UNIX, 
VMware, and Syslog-supported devices 

Yes 

Yes 

Yes 
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Company 

Centralized 
Logging and 
Reporting 

Event 

Filtering 

Event 

Consolidation 

Intelligent/ 
Expanded Event 
Explanations 

Automatic Alerts 

ArcSight 

408-864-2600 

888-415-2778 

arcsight.com 

Yes 

Yes 

Yes 

Yes 

Yes—alerts via email, SNMP trap, and Syslog 

Breakout Software 

908-561-5210 

www.breakoutsoft.com 

Yes 

Yes 

Yes 

No 

Yes—alerts via audible alarm, email, pager, phone, 

SNMP trap, Syslog, and custom executables for 
customized alerts 

Corner Bowl Software 

8866-501-8670 

866-543-9470 

www.cornerbowl.com 

Yes 

Yes 

Yes 

No 

Yes—alerts via audible alarm, desktop 
message box, email, pager, phone, 

Short Message Service (SMS) notification, 

SNMP trap, Syslog, tray popup, and custom 
executables for customized alerts 

FSPro Labs 

+7 903 438 4643 
www.fspro.net 

Yes 

Yes 

Yes 

Yes 

No 

GFI Software 

+44 (0) 870 770 5370 
www.gfi.com 

Yes 

Yes 

No 

Yes 

Yes—alerts via email, network messages, 

SMS notification, SNMP trap, and custom 
executables for customized alerts 

Log Rhythm 

303-413-8745 

www.logrhythm.com 

Yes 

Yes 

Yes 

Yes 

Yes—alerts via email, SMS notification, and 

SNMP trap 

NETIKUS.NET 

312-624-7698 

877-638-4587 

www.netikus.net 

Yes 

Yes 

Yes 

Yes 

Yes—alerts via audible alarm, desktop notification, 
email, IM, Net Send, pager, SMS notification, 

SNMP trap, Syslog, and custom executables 
for customized alerts 

NetWrix 

201-490-8840 

888-638-9749 

www.netwrix.com 

Yes 

Yes 

Yes 

No 

Yes—alerts via email and SMS notification 

NRG Global 

626-478-2138 

877-398-9537 

www.nrgglobal.com 

Yes 

Yes 

Yes 

Yes 

Yes—alerts via email, SMS notification, 

SNMP trap, and custom executables 
for customized alerts 

Omnitrend 

860-673-8910 

www.o m n itren d .co m 

No 

Yes 

No 

No 

Yes—alerts via email, pager, phone, 

SMS notification, and Syslog 

Quest Software 

949-754-8000 

800-306-9329 

www.quest.com 

Yes 

Yes 

Yes 

Yes 

Yes—alerts via email, SNMP trap, and 
custom executables for customized alerts 

TNT Software 

360-546-0878 

877-546-0878 

www.tntsoftware.com 

Yes 

Yes 

Yes 

Yes 

Yes—alerts via audible alarm, desktop notification 
icon with audible alarm, email, pager, phone, 

SMS notification, SNMP trap, Syslog, and custom 
executables for customized alerts 

Zoho (ManageEngine 
Division) 

925-924-9500 

888-720-9500 

www.eventloganalyzer.com 

Yes 

Yes 

Yes 

Yes 

Yes—alerts via email, SMS notification, 

SNMP trap, and custom executables for 
customized alerts 


70 JULY 2010 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 



EVENT LOG MANAGERS 



Automatic 

Actions 

Supports 

Scripts 

Automatic Report 
Generation (Available 
Formats) 

Compliance 

Reporting 

Customizable 

Reporting 

Historical 

Trending 

Archiving 

Databases the 

Product Can Write To 


No 

No 

Yes (.csv, .doc, .html, 

.pdf, .txt, .xls, and .xml) 

Yes 

Yes 

No 

Yes 

MySQL 


Yes 

Yes 

Yes (.html) 

Yes 

Yes 

Yes 

Yes 

Access, Microsoft Data 
Engine (MSDE), SQL Server, 
and any ODBC databases 


Yes 

Yes 

Yes (.csv, .html, .txt, 
and .xml) 

Yes 

Yes 

No 

Yes 

MySQL and SQL Server 


No 

No 

No 

No 

No 

No 

Yes 

None 


No 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

SQL Server 


Yes 

No 

Yes (.csv, .doc, .pdf, .rpt, 
.rtf, and .xls) 

Yes 

Yes 

Yes 

Yes 

SQL Server 


Yes 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Access, MySQL, Oracle, SQL 
Server 2008, SQL Server 
2005, and SQL Server 

2000 (including Express 
Editions) 


No 

Yes 

Yes (.csv, .html, .pdf, 
and .xls) 

Yes 

Yes 

No 

Yes 

SQL Server 


Yes 

Yes 

Yes (.html and .pdf) 

No 

Yes 

Yes 

Yes 

MSDE and SQLServer 


No 

No 

No 

No 

No 

No 

No 

None 


Yes 

Yes 

Yes (.csv, .doc, .html, 
and .pdf) 

Yes 

Yes 

Yes 

Yes 

SQL Server 


Yes 

Yes 

Yes (.mht) 

Yes 

Yes 

Yes 

Yes 

SQL Server (including 

Express Editions) 


Yes 

Yes 

Yes (.csv, .html, and 
•pdf) 

Yes 

Yes 

Yes 

Yes 

MySQL and SQL Server 
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BUYER’ 


GUIDE 


Two-Factor 

Authentication by Lavon Peters 

Secure your systems and data 


[Editor's Note: Information in this buyer's guide comes from vendor 
representatives and resources and is meant to jump-start, not replace, 
your own research; also, some products might have been left out, 
either as an oversight or from lack of vendor response.] 

U sernames and passwords are the first step in authen¬ 
ticating those who log on to your systems. However, 
sometimes you need stronger authentication— 
especially for remote users, or for highly sensitive data 
and files. Two-factor authentication requires users to 
provide two pieces of identifying information. Typi¬ 
cal identification factors include something the user knows, such as 
the username/ID, password, or PIN; something the user has, such 
as a hardware/USB token or smart card; and something the user is, 
which includes physical characteristics such as finger/handprints, 
iris/retina identification, or voice pattern recognition. 

Using multiple identification factors increases the security of your 
systems and prevents unauthorized users from gaining access to sensi¬ 
tive information. Numerous multifactor authentication solutions are 
available, in a variety of forms (hardware devices, software, or services). 

Types of Solutions 

Hardware solutions include lceyfob tokens, USB tokens, and smart 
cards or magnetic cards. Many hardware solutions also require pro¬ 
prietary software to function. In addition, smart cards and magnetic 
cards can also require special card readers. 

One-time password (OTP) solutions generate unique numeric 
passwords for one-time use. These solutions are typically distributed as 
keyfob tokens and don't require client software or USB connectivity. 

Soft OTP tokens provide the same functionality as OTP solutions, 
but the password is sent to or generated on a mobile device, such as an 
iPhone or BlackBerry. These solutions are cost effective because they 
don't require actual hardware tokens—the mobile device is the token. 

Although biometric authentication solutions still seem like 
something out of the future (think of the movie "Minority Report"), 
many authentication products do use biometrics. One of the most 
common types of biometric devices is a fingerprint scanner, found 
on many laptops. The benefit of physical identification is that it 
can't be lost or stolen; however, these solutions can be quite costly 
and difficult to implement. 

Considerations 

In choosing a multifactor authentication solution, you need to 
consider how it integrates with the systems you already have in 
place. You should consider OS compatibility, application integra¬ 
tion, and directory integration. In addition, you need to evaluate 
the product's management features. 


OS compatibility. Obviously your multifactor authentication 
solution needs to work with the OSs you're running. But if you have 
legacy systems, or you're running non-Windows OSs, you need to 
ensure that the solution you choose also works with those systems. 

Application integration. Another consideration is how the 
solution integrates with your applications. Does it use Windows 
Graphical Identification and Authentication (GINA) logon for 
application authentication? Or does the product have a separate 
web service for integration with your applications? 

Directory integration. An important factor is whether and how 
well a solution integrates with your existing directory technology. 
For example, does the solution integrate directiy with Active Direc¬ 
tory (AD) or other LDAP directories? Does it have its own directory, 
with no outside integration? Or does it have its own directory but 
can still read from a separate LDAP directory? 

Management. How easy a product is to use can often be a 
driving force in making or breaking its adoption in an organiza¬ 
tion. Note whether the authentication solution you're considering 
has integrated management software, or a web interface for user 
management—as well as how complicated these components are. 
Another important feature is whether the product has a password 
override feature, in case a user loses or forgets a token. 

Limitations 

Multifactor authentication solutions certainly won't perform any 
security miracles, and in fact, they have some limitations. These 
solutions won't work against man-in-the-middle attacks or trojans, 
because both of these attacks actually rely on users logging on. 
However, just because you can't protect against everything doesn't 
mean you shouldn't protect against anything—and multifactor 
solutions do protect against illicit logons. 

No Excuses 

Strong authentication is necessary to ensure the security of your net¬ 
work and systems. User IDs and strong passwords are necessary, but 
they aren't enough to really lock down your data. Multifactor authen¬ 
tication solutions are available in a variety of formats and at almost 
every price point—so if you need such a solution, there's almost no 
excuse for not using one. Consult the accompanying buyer's guide 
table for a list of two-factor authentication products. ^ 

InstantDoc ID 125261 

E J I (lpeters@windowsitpro.com) is a senior 

I editor for Windows IT Pro and SQL Server Magazine, 

I specializing in security. She has worked as a technical 
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•TWO-FACTOR AUTHENTICATION 


Company 

Product 

Price 

Type of 

Physical Device 

Type of 

Password ID 

Type of 

Biometric ID 

Proprietary 

Software 

Required? 

Proprietary 

Reader 

Required? 

Mobile Device 

Integration? 

Authenex 

408-922-0372 

877-288-4363 

www.authenex.com 

ASAS 

Varies by num¬ 
ber of users; 
10-user starter 
kit is $1,000 

Hardware keyfob 
token; hybrid USB 
and software OTP 
tokens available 

Password, PIN 

None 

No 

N/A 

Yes 

Comodo Group 

703-637-9361 

888-256-2608 

www.comodo.com/ 

enterprise 

Comodo Two-Factor 
Authentication 

$6 per license; 
volume dis¬ 
counts available 

None; client-side 
digital certificate 
provides authen¬ 
tication 

None; OTP 
option available 

None 

Yes 

N/A 

Yes 

DigitalPersona 

650-474-4000 

877-378-2738 

www.digitalpersona 

.com 

DigitalPersona Pro 

Varies according 
to package 

Token, smart card 

Password 

Fingerprint, face 

Yes 

No 

No 

MultiFactor 

949-456-8581 

877-779-3082 

www.multifa.com 

SecureAuth 

$2 to $9.80 per 
user 

USB token 

Password, PIN 

None 

Yes 

No 

Yes 

MXI Security 

514-333-5010 

888-422-6726 
www.mxi secu rity.com 

Stealth Series 
Encrypted USB 

$49 to $349 

None; optional 
Common Access 
Card (CAC)/ 

Personal Identity 
Verification (PIV) 
card integration 

Password 

Fingerprint 

No 

No 

Yes 

Quest Software 

949-754-8000 

800-306-9329 

www.quest.com 

Defender 

$75 per user 

Hardware keyfob 
token, USB token, 
software token, 
smart card 

Password, PIN, 

OTP 

None 

Yes 

No 

Yes 

RSA 

781-515-5000 

800-495-1095 

www.rsa.com 

RSA SecurlD 

Contact vendor 

Keyfob token; 
software tokens 
for mobile devices 

PIN + OTP 

None 

Yes 

No 

Yes 

Scorpion Software 

604-824-9001 

888-407-4285 

www.scorpionsoft.com 

AuthAnvil 

$5 per user per 
month 

Hardware keyfob 
token 

Password, PIN 
+ OTP 

None 

Yes 

N/A 

Yes 

SecurEnvoy 

727-608-4325 

www.securenvoy.com 

SecurAccess 

$2,475 for 1,000 

users 

None 

None 

None 

No 

N/A 

Yes 

Thales e-Security 

954-888-6200 

888-744-4976 

www.thalesgroup 

.com/iss 

SafeSign 

Starting at 
$15,000 

Hardware keyfob 
token, USB token, 
smart card 

None 

None 

Yes 

No 

Yes 

VASCO Data Security 

322-609-9700 

www.vasco.com 

DIGIPASS for Mobile 

Contact vendor 

Hardware keyfob 
token 

Password, PIN 

None 

Yes 

N/A 

Yes 

VeriSign 

650-961-7500 

www.verisign.com 

VeriSign Identity 
Protection (VIP) 
Authentication 

Service 

Based on num¬ 
ber of users 

None 

Password 

None 

No 

N/A 

Yes 

WiKID Systems 

866-244-1876 

www.wikidsystems.com 

WiKID Strong 
Authentication 

System 

Starting at $24 
per user per 

year 

None 

PIN 

None 

Yes 

No 

Yes 
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TWO-FACTOR AUTHENTICATION* 



Operating Systems 

Windows GINA 
Logon? 

Web 

Service for 
Application 
Integration? 

Has Its Own 
Directory? 

AD 

Integration? 

LDAP 

Integration? 

Integrated 

Management 

Software? 

Web Interface 
for User 
Management? 

Password 

Override? 


Windows Server 2008 R2, 
Windows Server 2008, 
Windows 7, Windows Vista, 
Windows Server 2003, 
Windows XP 

No 

Yes 

Yes 

Yes 

Yes (Novell, 
OpenLDAP) 

Yes 

Yes 

Yes 


Server 2008 R2, Server 

2008, Windows 7, Vista, 
Windows 2003, XP, 

Windows Server 2000 


Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 


Server 2008 R2, Server 

2008, Windows 7, Vista, 
Windows 2003, XP 

Yes 

Yes 


Yes 


Yes 




Server 2008 R2, Server 

2008, Windows 7, Vista, 
Windows 2003, XP, Win2K, 

Red Hat Enterprise Linux, 
SUSE, Ubuntu, Mac OS 
10.4/10.5/10.6 

Yes 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes 


Vista, XP,Win2K 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 


Server 2008 R2, Server 

2008, Windows 7, Vista, 
Windows 2003, XP, Win2K, 
UNIX, Linux, Mainframe 
(RACF/Top Secret) 

Yes 

Yes 

No 

Yes 

No 

Yes 

Yes 

Yes 


Server 2008 R2, Server 

2008, Windows 7, Vista, 
Windows 2003, XP, Win2K 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 


Server 2008 R2, Server 

2008, Windows 7, Vista, 
Windows 2003, XP, Linux, 

BSD, Mac OS X, Sun Solaris 

Yes 

Yes 

Yes 

Yes 

No 

Yes 

Yes 

Yes 


Server 2008 R2, Windows 
2003, Sun Solaris 

Yes 

Yes 

No 

Yes 

Yes (Novell, 
OpenLDAP) 

Yes 

Yes 

Yes 


Server 2008 R2, Server 

2008, Windows 2003, XP, 
Win2K, UNIX, Linux, Sun 
Solaris 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 


Server 2008 R2, Server 

2008, Windows 7, Vista, 
Windows 2003, XP, Win2K, 
UNIX, Linux, HP-UX, AIX, 
AS400, Z/OS, Sun Solaris, 
Android, Objective C, 
Windows Mobile, 

BlackBerry OS, J2ME 
platforms 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 


Server 2008 R2, Server 2008, 
Windows 7, Vista, Windows 
2003, XP, Win2K 

No 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

No 


Windows 7, Vista, XP, Red 

Hat Enterprise Linux 

No 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

No 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro JULY 2010 


75 



Prime 

Your 

Mind 


with Resources from Left-Brain.com 



Left-Brain.com is the online superstore stocked with 
educational, training, and career-development materials 
focused on meeting the needs of IT professionals like you. 


Featured Product: 

Windows PowerShell Poster 
Discover the Power of PowerShell 

Microsoft's Windows PowerShell scripting environment is a huge 
improvement over other scripting tools, and we can help you learn it! Our 
new PowerShell poster summarizes key PowerShell concepts, cmdlets, 
and snippets for group management, Exchange, and other admin tasks. 

Topics covered are PowerShell basics, pipelining, built-in variables, 
mailbox management, command history, and much more! 

Only $14.95*! 

Order your poster and discover other great PowerShell resources now 
at Left-Brain.com 


Plus shipping and applicable tax. 



www.left-brain.com 
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INDUSTRY BYTES 


■ iPhone 


■ Permissions ■ McAfee 


INSIGHTS FROM THE INDUSTRY 


I Love My iPhone, but I Wonder About Apple 


I know you've probably read about this 
elsewhere, but—forgive me—I've just got 
to weigh in on these ridiculous new Micro¬ 
soft policies. I mean, Redmond's really 
gone off the rails this time. 

Can you believe that I can only install 
an application to my Windows 7 laptop if 
I buy it from Microsoft's website, ensur¬ 
ing that small operators can't give away 
free apps directly from their websites 
and that Microsoft always gets 30 per¬ 
cent of all sales? Further, isn't it crazy 
that "Steve"—Ballmer, that is—actually 
censors which applications are and 
aren't acceptable for Windows users, as if 
we were all children and as if all cultures 
had the same set of values of what is 
and isn't acceptable? What's even more 
irritating is their single-vendor policy. 

I know that most of you have heard 
of this but for those who've somehow 
missed this, Microsoft will now only sell 
Windows on HP equipment. 

Oh, gosh, I am so sorry, I goofed up 
there. I meant Apple, not Microsoft—I 
just can't seem to keep those West Coast 
tech firms straight in my mind. Seriously, 
though, the power of great marketing 
never fails to amaze me. Can you imagine 
Microsoft getting away with any of the 


things that I just cited? I surely can't, and 
never cease to wonder how Apple's chief 
gets away with them. 

Nevertheless, I sure love my iPhone for 
a lot of reasons. For one thing, it's easier to 
get an iPhone to sync with Outlook than 
it is to do the same thing with Windows 
Mobile. For another, I learned a long time 
ago that how good or bad an OS is isn't 
as important a question when choosing 
a computer as, "Which one has the most 
applications available?" And Apple has 
done a great job in squeezing a usable, 
attractive interface onto a small screen. 

But for everything that I love about the 
phone, there's a corresponding irritant. I 
can't fathom why they'd design a phone 
that doesn't give me the freedom to buy 
and use additional or better batteries— 
when I buy a new phone, the first acces¬ 
sory that I usually buy is the longer-life 
battery. Ditto the no-tether policy: yeah, 

I know, blame it on AT&T, but Apple was 
and is complicit, as they knew what AT&T 
intended when they cut the deal with 
them, and in continuing to enforce the no¬ 
tether policy through the iPhone OS. 

The thing that really gets me, how¬ 
ever, is this MobileMe scam. The phone 
is small, and its "vibrate" mode is sort of 


subtle, so most iPhone users who are out 
at some bar or restaurant either annoy 
the people around them with some loud 
ringtone, or set the phone to vibrate 
and leave it on the table. As a result, it's 
quite easy to leave your phone behind in 
a restaurant—I can name at least three 
friends it's happened to—and, oddly 
enough, no one ever turns an iPhone 
in to a lost-and-found department. As a 
result, that moment's inattention inevita¬ 
bly leads to a trip to the Apple store and 
$500 for a new phone. Ah, but if you'd 
paid Apple $99/year for MobileMe, then 
you could track down the miscreant and 
with hope get your phone back. 

What puzzles me about the whole 
lost iPhone thing is this: Why didn't 
Apple build a "brick the phone remotely" 
feature into the iPhone? Shouldn't I be 
able to walk into an AT&T store, produce a 
government-issued ID card with my picture 
on it, and ask them to kill the phone? 

Ah well. Perhaps one day we'll have big 
computers that run networks that could 
track that stuff. Until then, maybe I should 
just get a Jitterbug. Those phones seem to 
always get returned when lost, y'know? 

—MarkMinasi 
InstantDoc ID 125089 
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Are NTFS and Share Permissions Too Complicated? 


Most Windows Administrators know that 
NTFS permissions combine with Shared 
Folder permissions when it comes to work¬ 
ing out effective permissions. What I've 
generally found though is that while this is 
understood in theory, in practice effective 
permissions are implemented incorrectly. 
Users are granted write access to files that 
they should only have read access to and 
users have read access to files they are 
supposed to have write access to. 

The problem with NTFS permissions is 
that when combined with share permis¬ 
sions, it takes a few minutes of head scratch¬ 
ing for administrators to figure out what 
access a person actually has, especially if the 
user is a member of multiple groups. It isn't 
that these permissions don't work when 
properly applied, it is just that they are com¬ 
plex and the more complex something is, 
the less likely it is to be used properly. 


Anyone who has worked on a Help desk 
can tell you about untangling permissions. 
When a user rings up and says that they 
should have access to a certain file that 
they do not have access to, a merry chase 
ensues with the person in question having 
to figure out if the permissions are indeed 
set correctly and the person calling should 
not have access to the file or whether the 
permissions have been set incorrectly and 
the permissions need to be changed. 

NTFS permissions also aren't entirely 
effective as a security mechanism. 

Although a person may only have read 
access to a file on a file server, they can 
copy that file away from the file server and 
change the permissions when the file is 
stored in another location. Similarly, NTFS 
permissions can't stop you from emailing a 
file that you have read access to to some¬ 
one outside your organization. 


In the long term, the best way of set¬ 
ting file access rights is probably going 
to be through Active Directory Rights 
Management Services (AD RMS), where the 
same read/write permissions apply to the 
file independent of where it is stored. With 
AD RMS, a user who has permissions that 
limit them to opening a file and making 
changes to it has those same permissions 
whether they've received the file in email, 
accessed it from a file share, or down¬ 
loaded it from a SharePoint site. 

At the moment, AD RMS is more com¬ 
plicated to configure than NTFS permis¬ 
sions, and most administrators haven't 
really played with it and are not aware of 
its capabilities. However, it will probably 
replace NTFS permissions as organizations 
move to platforms that support AD RMS's 
capabilities. 

—Orin Thomas 


McAfee's svchost.exe SNAFU 


This April, millions of computers came 
to a dead halt when McAfee mistakenly 
identified a normal Windows update file 
(svchost.exe) as infected with the malware 
Wecorl.a, causing machines to either crash 
or enter an endless reboot cycle. This false 
positive affected Windows XP SP3 systems 
across the board, disabling computers in 
schools and hospitals, and even halting 
production lines in some industries. 

McAfee quickly called the troops into 
action, dedicating its staff of more than 7,000 
to fixing the problem. The company's official 
response to the false positive issue, from 
the McAfee website, is as follows: 

1. McAfee knows that many customers 
have incurred a false positive error from 
the release of the 5958 virus definition file . 

2. Our initial investigation indicates that 
the error can result in moderate to signifi¬ 
cant issues on systems running Windows 
XP Service Pack 3. If you are one of those 
impacted, we understand this is a signifi¬ 
cant event for you and we're very sorry. 

3. McAfee is taking every measure to 
prevent this from reoccurring. 


4. McAfee employ¬ 
ees are working with 
the highest priority 
to support impacted 
customers. We have 
released updated virus 
definition files that do 
not contain the prob¬ 
lem (DAT 5959 and 
higher) and are provid¬ 
ing customers with 
detailed guidance on 
how to repair impacted 
systems. 

Hackers of course 
quickly jumped on the 
bandwagon, putting up 
websites that claimed 
to help you solve the 
problem but instead 
led straight to malicious 
links. Visit www.mcafee. 
com for more details 
about the event. ^ 
—Lavon Peters 
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by Jason Bovberg 



Your System 

-- 

Product of the Month 

Inspired by the Porsche 911, the Motormouse computer mouse strikes 
us as perfect for the go-getter IT guy—or, at least, the beleaguered 
Civic-driving admin who seeks some rewed-up coolness at the office. 
The slim, ergonomic 2.4GHz wireless mouse comes in red, silver, or 
black and features a trunk that actually opens (for battery and receiver 
storage). It's even got real rubber tires, as well as an extra-wide “spare 
tire" scroll wheel. For more information, and a 360-degree tour, visit the 
Motormouse website (motormouse.us.com). 


Our Favorite 
Free Utilities 



User Moment 
of the Month 

My all-time favorite user story happened about 10 years 
ago. I was working for a school district, and a lot of the 
teachers weren't very well versed in new technologies. 
They had computer labs set up, and most of the time 
the students knew more about how to work them than 
their teachers! Before school started one day, I got a 
call from a teacher who was having trouble booting 
up one of the lab computers. I walked him through a 
couple easy questions, finally asking whether there was 
a floppy disk inside the drive. His classic response, after 
some searching, was, “I don't know, but a sticker here 
says 'Intel Inside." —Ron 



Active Directory Change Reporter—Track changes and errors to 
AD and Group Policy configurations. 

BareTail—Monitor log files in real time. 

BotHunter—Diagnose network-based malware infections. 
CamStudio—Record screen and audio activity on your computer. 
CDBurnerXP—Burn CDs and DVDs, including Blu-ray and ISOs. 
Comodo Internet Security—Try this firewall/antivirus solution. 
Drivelmage XML—Image and back up logical drives. 

Eraser—Remove sensitive data from your hard disk. 

Ethereal—Try this comprehensive protocol analyzer. 

FileZilla—Easily handle FTP transfers. 

GParted LiveCD—Try this heavy-duty partition tool. 

IlcDefrag—Defragment and optimize your disks. 

KeyFinder—Retrieve Windows Product Keys from your registry. 
LocatePC—Protect your system from theft. 

NeWT—Scan networked machines to retrieve information. 
Ngrep—Apply GNU grep's common features to the network layer. 
NMap—Perform network exploration or security auditing. 


NTFS Undelete—Recover deleted files. 

OCS Inventory NG—Automate inventory and deployment. 
OpenSSH—Encrypt all traffic (including passwords). 
PageDefrag—Defragment your paging files and registry hives. 
PhotoRec—Recover files from hard disks and CD-ROMs. 

PRTG—Monitor availability and bandwidth. 

SIW—Gather detailed information about your system properties 
and settings. 

SyncBaclc—Easily back up and synchronize files. 

TestDislc—Make non-booting disks bootable again. 

TrueCrypt—Encrypt your disks. 

WinAudit—Audit and inventory your software, licenses, security 
configuration, hardware, and network settings. 

WinDirStat—View disk-usage statistics and perform cleanup. 
WinDump—Sniff and troubleshoot your network. 
Winfingerprint—Get info about machines on your LAN. 

Wink—Create tutorials and presentations. 

WinPcap—Capture and transmit network packets. 
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Special Competitive Upgrade: 50% Discount! 
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How does your current software compare? 

VIPRE Enterprise scans at a brisk 13,95 MB/sec and 
uses just 27% of CPU and 50 MB of RAM, In idle, it 
uses a mere 133 MB RAM with a disk footprint of just 
113 M B. Yo ul f ha rdl y n otice it's run n mgl 



Sunbelt Software 


VIPRE Enterprise Premium is a revolutionary new approach. It combines 
high-performance antivirus, antispyware, and desktop firewall 
into a single agent so you get comprehensive endpoint malware 
protection with low system resource usage. It’s fast, powerful 
and easy. 

Plus, advanced anti-malware technology protects your system 
against the new wave of malware threats. No more juggling 
multiple programs. No more dealing with user complaints about 
slow workstation performance. 

• COMPLETE! All-in-one protection from today's malware. 

• FAST! High-performance and low impact on system resources. 

• EASY! Manage everything easily from one command screen. 

• RELIABLE! Configurable, real-time monitoring technology. 

• AFFORDABLE! Ask for a quote with our 50% competitive 
upgrade discount! 

Why struggle with slow resource hogs when you can manage 
ALL your malware threats with one fast, easy application? 



Curious? Download your FREE copy of VIPRE Enterprise 
Premium and give it a test drive. 

When you compare VIPRE Enterprise Premium to Symantec, 
McAfee, Trend Micro or whatever antivirus program you're using, 
you WILL want to switch! Don't worry, though.You can get VIPRE 
Enterprise Premium with a 50% competitive upgrade discount! 
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Plus we will buy out your existing maintenance contract for 1 year! 


www.TestDriveVipre.com 

Sunbelt Software Tel: 1-888-688-8457 or 1*727-562-0101 Fax:1-727-562-5199 www.SunbeftSoftware.com sales@sunbeltsoftware.com 

© 2010 Sunbelt Software, All rights reserved VIPRE Enterprise is a trademark of Sunbelt Software. All trademarks used are owned by their respective owners. 

Discount available on new licenses only tor a limited lime. Buyout offer good on contracts up to l year. Subject to change without notice. Contact your Sales Representative for details. 


Download now: 































































Xeon" 

inside 


Powerful. 

Intelligent. 



20 YEARS 

OF x86 SERVER INNOVATION 


■ In let' Xeon ‘ Processor E5620 

* 6 GB memory, up to 192 GB Max 

* Up to 8 small form lador high-performance SAS hard drives wilh standard 
cage. Or up to 16 SFF or 6 LFF hard drives with optional drive coges, 

* Integrated Lights-Out 3 (fLO 3) providing industry-leading management and 
powerful administration 

$2,899 (Save $339) 

Lease for just $77/mo,* 

Smart |PN: 605077-005) 


'Based on HP tnlemd lesling comparing It* HP PraLkmd DL38U G4 fo HP PioLipot DL38Q Q7. 

-HP Insight Migration Software and HP Insight Remote Support autonwita most mgrahon and monitoring tasks. 

Intel, the Snfcet logo, Xeon, and Xeon Inside are trademarks or registered trademarks oE Intel Corporal ion hi the U.S- and olh« countries. 

‘Prices shown are HP Dried prices; reselfef and retail paces may vary. Prices shown am subject to change and do nol include oppltoobfo stale and beat taxes, or shipping to 
recipient's address. Offets cannot be combined with any other offer or disanml and are good while supplies last. All featured afters availabfe in U-5- only- Savings based sn HP 
pubf-shod Irsi price of ccmfigwe-taocder ogirivaloni flX Sar^r. i3 r 238'S339=SmortB«y pries ot $2,899.) Financing avoifabto through HipwloH-Fbckiitt Financial Sotvicos Company 
and its subsidiaries jtfPfSC] ta qualified commercial Ciisfemers in the U-5 and is subject to credit appravql and execution al standard HPF5C dooumentntiqn ■ Prices shown ore 
based on a fooju 48 months in term wilh a feir markwi value purchase option al the end of the term and are valid through July 31 r 2010. Other rates apply for other terms and 
hnnsDcJicm sizes. Financing t% Mifeble on transactions greater than S349, Other charges and restrictions may apply. HffSC reserves lhe right lo change or caned this program at 
any l»ma wihoul notice, this offer connot be combined with any ether rebate, discount or pramotton without prior approval by HP and HPfSC Ratos are based en customm's credit 
rat mg, financing terms, offering types, equipment type and options. Nat ait customers may qudify for these rates. Other restrictions may oppfy 
Gopyrighl O 2010 Hewfefl-ffotkard Dmmfopmjrri Company, LP 


server ROI. 


Outcomes that matter. 


Next generation HP ProLiant Servers not only 
pay for themselves,' they migrate and monitor 
themselves too? 

• Accelerated ROI in as little as 2 months 

• 20 to 1 server consolidation ratio 

• Accurate, automated server migration 

• Free 24/7 remote support 


HP ProLiant DL380 G7 Servers powered 
by Intel® Xeon® processor 5600 
series lay the foundation for the HP 
Converged Infrastructure. So you can 
spend less time managing IT and 
more time innovating. 


Register to download the I DC 
white paper Managing the 
Server Migration Process: 

The HP Approach to Reducing 
Operational Costs at 
hp.com/servers/fastfo rwa rd 8 
or call 800-282-6672. 





































